We are on Splunk 4.2.1 and using deployment server to manage our apps. We'd like to create an app to manage the settings in some of the *.conf files in the .../etc/deployment-apps directories, so users don't have to know linux editors or the subtleties of the parameters in the configuration files. What's the recommended way for programmatically editing a conf file on disk? We could use python libraries or other workarounds, but we're hoping there is experience others can share with doing this.
To help clarify, from the Splunk Manager app and the CLI you can do things such as 'add search-server', which updates a distsearch.conf file. However this typically updates files local to the machine hosting the UI, and in the .../etc/system directory tree. We are looking for similar capability but with the edits going to a conf file (distsearch.conf in this example) in .../etc/deployment-apps directory tree.
No, most of the app framework tools used to interact with configuration file objects only deal with objects in $SPLUNK_HOME/etc/(users|apps). At a higher level, there seems to be some interest in a UI for the Deployment Server, which is something I have been planning for a while.
Thanks for the confirmation that it's not a native feature (yet). Any suggestions on how we might workaround it now? If we get a hint on how Splunk makes the changes to the $SPLUNK_HOME/etc/(users|apps) files then we might be able to apply the same technique ourselves but to different files.
Not really any good suggestions to give at the moment, as most conf files are manipulated through the REST API (C++), which in turn writes the conf files.
I have a suggestion. This is a kludge, but I think it will work. I am concerned about things that would normally be part of $SPLUNK_HOME/etc/system, but depending on your needs, that may not be an issue. Here is my idea:
Create a Splunk instance somewhere. It can be a free copy of Splunk, but I would recommend adding it as a slave to your master license server. This copy of Splunk will do no indexing. It will be independent of all other Splunk instances (except for getting its license).
Create $SPLUNK_HOME/etc/system/local/indexes.conf, with the following lines:
[main] disabled=true [summary] disabled=true [history] disabled=true
If you create indexes in any of your apps, add a similar line to this file for each index you create. This will keep Splunk from actually indexing anything. This probably isn't necessary, but I am concerned about any inputs that might be part of the apps.
On this special server, make a copy of all the deployment-apps - but put them in the regular apps directory instead.
Now you can edit them using the UI.
Finally, you will probably want to create a script that copies
$SPLUNK_HOME/etc/appsfrom this system to
$SPLUNK_HOME/etc/deployment-apps on the real deployment server. You will need to notify the deployment server that you have changed the files, too.
We took a more direct and simpler (for our needs) approach and are using a python script in conjunction with the ConfigParser package to edit the files directly in the .../etc/deployment-apps/... directories. Appreciate all of the interesting suggestions!