Splunk Dev

Writing to a .conf/.json file on a search head cluster via Python

alucarddjin
Path Finder

I am trying to make an app (using Python) in which a user will select key field details that have to be saved into a settings file (json or conf) but currently when it write's it's only saving to the search head the user is currently on, no replicating across them all. 

Labels (1)
0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

Thanks for clarifying.  SHCs do not replicate every file.  To see what is replicated, visit https://docs.splunk.com/Documentation/Splunk/8.2.1/DistSearch/HowconfrepoworksinSHC

The preferred method for distributing app configurables to a SHC is to put them on the SHC deployer and then push the bundle to the cluster.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway
SplunkTrust
SplunkTrust

We need more information. How exactly are you saving the file ("using Python" is not enough)?  Which API or command are you using?  Where is the file being saved?

---
If this reply helps you, Karma would be appreciated.
0 Karma

alucarddjin
Path Finder

I didn't put to much detail in because I want to know what's best practice when dealing with a clustered search head.

Currently I'm using json.dump into the apps bin folder like this:

with open('/apps/appname/bin/fields.json','w') as file:
    json.dump(fields,file)

Again though I'm not set on this way, just what's the proper way to deal with writing on a clustered search head.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Thanks for clarifying.  SHCs do not replicate every file.  To see what is replicated, visit https://docs.splunk.com/Documentation/Splunk/8.2.1/DistSearch/HowconfrepoworksinSHC

The preferred method for distributing app configurables to a SHC is to put them on the SHC deployer and then push the bundle to the cluster.

---
If this reply helps you, Karma would be appreciated.

alucarddjin
Path Finder

Thanks for that. It points me in the right direction at least.

We do currently use the deplorer for this file but the issue comes up that people can't edit it on the search head without us having to put it into BitBucket then pushing to the deployed. I was hoping for a tool they could update in Splunk without devs being involved 😖

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...