Deployment Architecture

Can you control what gets replicated between search heads?

jwoger_splunk
Splunk Employee
Splunk Employee

I would like to know if there is a way to control what configurations are replicated between search heads in a search head cluster.

1 Solution

RicoSuave
Builder

Yes! Via whitelists and black lists located in server.conf. These default stanzas control our default replications:
From Spec:

conf_replication_include. =

* Controls whether Splunk replicates changes to a particular type of *.conf file, along with any associated permissions in *.meta files.
* Defaults to false.

conf_replication_summary.whitelist. =

* Whitelist files to be included in configuration replication summaries.

conf_replication_summary.blacklist. =

* Blacklist files to be excluded from configuration replication summaries.

And our default values:

/opt/splunk/etc/system/default/server.conf conf_deploy_repository = $SPLUNK_HOME/etc/shcluster 
/opt/splunk/etc/system/default/server.conf conf_deploy_staging = $SPLUNK_HOME/var/run/splunk/deploy 
/opt/splunk/etc/system/default/server.conf conf_replication_include.alert_actions = true 
/opt/splunk/etc/system/default/server.conf conf_replication_include.collections = true 
/opt/splunk/etc/system/default/server.conf conf_replication_include.commands = true 
/opt/splunk/etc/system/default/server.conf conf_replication_include.datamodels = true 
/opt/splunk/etc/system/default/server.conf conf_replication_include.event_renderers = true 
/opt/splunk/etc/system/default/server.conf conf_replication_include.eventtypes = true 
/opt/splunk/etc/system/default/server.conf conf_replication_include.fields = true 
/opt/splunk/etc/system/default/server.conf conf_replication_include.history = false 
/opt/splunk/etc/system/default/server.conf conf_replication_include.html = true 
/opt/splunk/etc/system/default/server.conf conf_replication_include.literals = true 
/opt/splunk/etc/system/default/server.conf conf_replication_include.lookups = true 
/opt/splunk/etc/system/default/server.conf conf_replication_include.macros = true 
/opt/splunk/etc/system/default/server.conf conf_replication_include.manager = true 
/opt/splunk/etc/system/default/server.conf conf_replication_include.models = true 
/opt/splunk/etc/system/default/server.conf conf_replication_include.multikv = true 
/opt/splunk/etc/system/default/server.conf conf_replication_include.nav = true 
/opt/splunk/etc/system/default/server.conf conf_replication_include.panels = true 
/opt/splunk/etc/system/default/server.conf conf_replication_include.props = true 
/opt/splunk/etc/system/default/server.conf conf_replication_include.quickstart = true 
/opt/splunk/etc/system/default/server.conf conf_replication_include.savedsearches = true 
/opt/splunk/etc/system/default/server.conf conf_replication_include.searchbnf = true 
/opt/splunk/etc/system/default/server.conf conf_replication_include.searchscripts = true 
/opt/splunk/etc/system/default/server.conf conf_replication_include.segmenters = true 
/opt/splunk/etc/system/default/server.conf conf_replication_include.tags = true 
/opt/splunk/etc/system/default/server.conf conf_replication_include.times = true 
/opt/splunk/etc/system/default/server.conf conf_replication_include.transactiontypes = true 
/opt/splunk/etc/system/default/server.conf conf_replication_include.transforms = true 
/opt/splunk/etc/system/default/server.conf conf_replication_include.ui-prefs = true 
/opt/splunk/etc/system/default/server.conf conf_replication_include.ui-tour = true 
/opt/splunk/etc/system/default/server.conf conf_replication_include.user-prefs = true 
/opt/splunk/etc/system/default/server.conf conf_replication_include.views = true 
/opt/splunk/etc/system/default/server.conf conf_replication_include.viewstates = true 
/opt/splunk/etc/system/default/server.conf conf_replication_include.workflow_actions = true 
/opt/splunk/etc/system/default/server.conf conf_replication_summary.blacklist.lookup_index = (system|(apps/*)|users(/_reserved)?/*/*)/lookups/*.(tmp$|index($|/...)) 
/opt/splunk/etc/system/default/server.conf conf_replication_summary.whitelist.lookups = (system|(apps/*)|users(/_reserved)?/*/*)/lookups/* 
/opt/splunk/etc/system/default/server.conf conf_replication_summary.whitelist.refine.local = (system|(apps/*)|users(/_reserved)?/*/*)/(local/...|metadata/local.meta) 
/opt/splunk/etc/system/default/server.conf conf_replication_summary.whitelist.repo = system/replication/*.json 

View solution in original post

Steve_G_
Splunk Employee
Splunk Employee
0 Karma

RicoSuave
Builder

Yes! Via whitelists and black lists located in server.conf. These default stanzas control our default replications:
From Spec:

conf_replication_include. =

* Controls whether Splunk replicates changes to a particular type of *.conf file, along with any associated permissions in *.meta files.
* Defaults to false.

conf_replication_summary.whitelist. =

* Whitelist files to be included in configuration replication summaries.

conf_replication_summary.blacklist. =

* Blacklist files to be excluded from configuration replication summaries.

And our default values:

/opt/splunk/etc/system/default/server.conf conf_deploy_repository = $SPLUNK_HOME/etc/shcluster 
/opt/splunk/etc/system/default/server.conf conf_deploy_staging = $SPLUNK_HOME/var/run/splunk/deploy 
/opt/splunk/etc/system/default/server.conf conf_replication_include.alert_actions = true 
/opt/splunk/etc/system/default/server.conf conf_replication_include.collections = true 
/opt/splunk/etc/system/default/server.conf conf_replication_include.commands = true 
/opt/splunk/etc/system/default/server.conf conf_replication_include.datamodels = true 
/opt/splunk/etc/system/default/server.conf conf_replication_include.event_renderers = true 
/opt/splunk/etc/system/default/server.conf conf_replication_include.eventtypes = true 
/opt/splunk/etc/system/default/server.conf conf_replication_include.fields = true 
/opt/splunk/etc/system/default/server.conf conf_replication_include.history = false 
/opt/splunk/etc/system/default/server.conf conf_replication_include.html = true 
/opt/splunk/etc/system/default/server.conf conf_replication_include.literals = true 
/opt/splunk/etc/system/default/server.conf conf_replication_include.lookups = true 
/opt/splunk/etc/system/default/server.conf conf_replication_include.macros = true 
/opt/splunk/etc/system/default/server.conf conf_replication_include.manager = true 
/opt/splunk/etc/system/default/server.conf conf_replication_include.models = true 
/opt/splunk/etc/system/default/server.conf conf_replication_include.multikv = true 
/opt/splunk/etc/system/default/server.conf conf_replication_include.nav = true 
/opt/splunk/etc/system/default/server.conf conf_replication_include.panels = true 
/opt/splunk/etc/system/default/server.conf conf_replication_include.props = true 
/opt/splunk/etc/system/default/server.conf conf_replication_include.quickstart = true 
/opt/splunk/etc/system/default/server.conf conf_replication_include.savedsearches = true 
/opt/splunk/etc/system/default/server.conf conf_replication_include.searchbnf = true 
/opt/splunk/etc/system/default/server.conf conf_replication_include.searchscripts = true 
/opt/splunk/etc/system/default/server.conf conf_replication_include.segmenters = true 
/opt/splunk/etc/system/default/server.conf conf_replication_include.tags = true 
/opt/splunk/etc/system/default/server.conf conf_replication_include.times = true 
/opt/splunk/etc/system/default/server.conf conf_replication_include.transactiontypes = true 
/opt/splunk/etc/system/default/server.conf conf_replication_include.transforms = true 
/opt/splunk/etc/system/default/server.conf conf_replication_include.ui-prefs = true 
/opt/splunk/etc/system/default/server.conf conf_replication_include.ui-tour = true 
/opt/splunk/etc/system/default/server.conf conf_replication_include.user-prefs = true 
/opt/splunk/etc/system/default/server.conf conf_replication_include.views = true 
/opt/splunk/etc/system/default/server.conf conf_replication_include.viewstates = true 
/opt/splunk/etc/system/default/server.conf conf_replication_include.workflow_actions = true 
/opt/splunk/etc/system/default/server.conf conf_replication_summary.blacklist.lookup_index = (system|(apps/*)|users(/_reserved)?/*/*)/lookups/*.(tmp$|index($|/...)) 
/opt/splunk/etc/system/default/server.conf conf_replication_summary.whitelist.lookups = (system|(apps/*)|users(/_reserved)?/*/*)/lookups/* 
/opt/splunk/etc/system/default/server.conf conf_replication_summary.whitelist.refine.local = (system|(apps/*)|users(/_reserved)?/*/*)/(local/...|metadata/local.meta) 
/opt/splunk/etc/system/default/server.conf conf_replication_summary.whitelist.repo = system/replication/*.json 
Get Updates on the Splunk Community!

Unlock New Opportunities with Splunk Education: Explore Our Latest Courses!

At Splunk Education, we’re dedicated to providing top-tier learning experiences that cater to every skill ...

Technical Workshop Series: Splunk Data Management and SPL2 | Register here!

Hey, Splunk Community! Ready to take your data management skills to the next level? Join us for a 3-part ...

Spotting Financial Fraud in the Haystack: A Guide to Behavioral Analytics with Splunk

In today's digital financial ecosystem, security teams face an unprecedented challenge. The sheer volume of ...