Deployment Architecture

How do I programmatically edit conf files in the deployment-apps directory

beaumaris
Communicator

We are on Splunk 4.2.1 and using deployment server to manage our apps. We'd like to create an app to manage the settings in some of the *.conf files in the .../etc/deployment-apps directories, so users don't have to know linux editors or the subtleties of the parameters in the configuration files. What's the recommended way for programmatically editing a conf file on disk? We could use python libraries or other workarounds, but we're hoping there is experience others can share with doing this.

To help clarify, from the Splunk Manager app and the CLI you can do things such as 'add search-server', which updates a distsearch.conf file. However this typically updates files local to the machine hosting the UI, and in the .../etc/system directory tree. We are looking for similar capability but with the edits going to a conf file (distsearch.conf in this example) in .../etc/deployment-apps directory tree.

Tags (1)

beaumaris
Communicator

We took a more direct and simpler (for our needs) approach and are using a python script in conjunction with the ConfigParser package to edit the files directly in the .../etc/deployment-apps/... directories. Appreciate all of the interesting suggestions!

0 Karma

lguinn2
Legend

I have a suggestion. This is a kludge, but I think it will work. I am concerned about things that would normally be part of $SPLUNK_HOME/etc/system, but depending on your needs, that may not be an issue. Here is my idea:

Create a Splunk instance somewhere. It can be a free copy of Splunk, but I would recommend adding it as a slave to your master license server. This copy of Splunk will do no indexing. It will be independent of all other Splunk instances (except for getting its license).

Create $SPLUNK_HOME/etc/system/local/indexes.conf, with the following lines:

[main]
disabled=true
[summary]
disabled=true
[history]
disabled=true

If you create indexes in any of your apps, add a similar line to this file for each index you create. This will keep Splunk from actually indexing anything. This probably isn't necessary, but I am concerned about any inputs that might be part of the apps.

On this special server, make a copy of all the deployment-apps - but put them in the regular apps directory instead.

Now you can edit them using the UI.

Finally, you will probably want to create a script that copies $SPLUNK_HOME/etc/appsfrom this system to $SPLUNK_HOME/etc/deployment-apps on the real deployment server. You will need to notify the deployment server that you have changed the files, too.

0 Karma

araitz
Splunk Employee
Splunk Employee

No, most of the app framework tools used to interact with configuration file objects only deal with objects in $SPLUNK_HOME/etc/(users|apps). At a higher level, there seems to be some interest in a UI for the Deployment Server, which is something I have been planning for a while.

0 Karma

araitz
Splunk Employee
Splunk Employee

Not really any good suggestions to give at the moment, as most conf files are manipulated through the REST API (C++), which in turn writes the conf files.

0 Karma

beaumaris
Communicator

Thanks for the confirmation that it's not a native feature (yet). Any suggestions on how we might workaround it now? If we get a hint on how Splunk makes the changes to the $SPLUNK_HOME/etc/(users|apps) files then we might be able to apply the same technique ourselves but to different files.

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...