Deployment Architecture

Can you control what gets replicated between search heads?

jwoger_splunk
Splunk Employee
Splunk Employee

I would like to know if there is a way to control what configurations are replicated between search heads in a search head cluster.

1 Solution

RicoSuave
Builder

Yes! Via whitelists and black lists located in server.conf. These default stanzas control our default replications:
From Spec:

conf_replication_include. =

* Controls whether Splunk replicates changes to a particular type of *.conf file, along with any associated permissions in *.meta files.
* Defaults to false.

conf_replication_summary.whitelist. =

* Whitelist files to be included in configuration replication summaries.

conf_replication_summary.blacklist. =

* Blacklist files to be excluded from configuration replication summaries.

And our default values:

/opt/splunk/etc/system/default/server.conf conf_deploy_repository = $SPLUNK_HOME/etc/shcluster 
/opt/splunk/etc/system/default/server.conf conf_deploy_staging = $SPLUNK_HOME/var/run/splunk/deploy 
/opt/splunk/etc/system/default/server.conf conf_replication_include.alert_actions = true 
/opt/splunk/etc/system/default/server.conf conf_replication_include.collections = true 
/opt/splunk/etc/system/default/server.conf conf_replication_include.commands = true 
/opt/splunk/etc/system/default/server.conf conf_replication_include.datamodels = true 
/opt/splunk/etc/system/default/server.conf conf_replication_include.event_renderers = true 
/opt/splunk/etc/system/default/server.conf conf_replication_include.eventtypes = true 
/opt/splunk/etc/system/default/server.conf conf_replication_include.fields = true 
/opt/splunk/etc/system/default/server.conf conf_replication_include.history = false 
/opt/splunk/etc/system/default/server.conf conf_replication_include.html = true 
/opt/splunk/etc/system/default/server.conf conf_replication_include.literals = true 
/opt/splunk/etc/system/default/server.conf conf_replication_include.lookups = true 
/opt/splunk/etc/system/default/server.conf conf_replication_include.macros = true 
/opt/splunk/etc/system/default/server.conf conf_replication_include.manager = true 
/opt/splunk/etc/system/default/server.conf conf_replication_include.models = true 
/opt/splunk/etc/system/default/server.conf conf_replication_include.multikv = true 
/opt/splunk/etc/system/default/server.conf conf_replication_include.nav = true 
/opt/splunk/etc/system/default/server.conf conf_replication_include.panels = true 
/opt/splunk/etc/system/default/server.conf conf_replication_include.props = true 
/opt/splunk/etc/system/default/server.conf conf_replication_include.quickstart = true 
/opt/splunk/etc/system/default/server.conf conf_replication_include.savedsearches = true 
/opt/splunk/etc/system/default/server.conf conf_replication_include.searchbnf = true 
/opt/splunk/etc/system/default/server.conf conf_replication_include.searchscripts = true 
/opt/splunk/etc/system/default/server.conf conf_replication_include.segmenters = true 
/opt/splunk/etc/system/default/server.conf conf_replication_include.tags = true 
/opt/splunk/etc/system/default/server.conf conf_replication_include.times = true 
/opt/splunk/etc/system/default/server.conf conf_replication_include.transactiontypes = true 
/opt/splunk/etc/system/default/server.conf conf_replication_include.transforms = true 
/opt/splunk/etc/system/default/server.conf conf_replication_include.ui-prefs = true 
/opt/splunk/etc/system/default/server.conf conf_replication_include.ui-tour = true 
/opt/splunk/etc/system/default/server.conf conf_replication_include.user-prefs = true 
/opt/splunk/etc/system/default/server.conf conf_replication_include.views = true 
/opt/splunk/etc/system/default/server.conf conf_replication_include.viewstates = true 
/opt/splunk/etc/system/default/server.conf conf_replication_include.workflow_actions = true 
/opt/splunk/etc/system/default/server.conf conf_replication_summary.blacklist.lookup_index = (system|(apps/*)|users(/_reserved)?/*/*)/lookups/*.(tmp$|index($|/...)) 
/opt/splunk/etc/system/default/server.conf conf_replication_summary.whitelist.lookups = (system|(apps/*)|users(/_reserved)?/*/*)/lookups/* 
/opt/splunk/etc/system/default/server.conf conf_replication_summary.whitelist.refine.local = (system|(apps/*)|users(/_reserved)?/*/*)/(local/...|metadata/local.meta) 
/opt/splunk/etc/system/default/server.conf conf_replication_summary.whitelist.repo = system/replication/*.json 

View solution in original post

Steve_G_
Splunk Employee
Splunk Employee
0 Karma

RicoSuave
Builder

Yes! Via whitelists and black lists located in server.conf. These default stanzas control our default replications:
From Spec:

conf_replication_include. =

* Controls whether Splunk replicates changes to a particular type of *.conf file, along with any associated permissions in *.meta files.
* Defaults to false.

conf_replication_summary.whitelist. =

* Whitelist files to be included in configuration replication summaries.

conf_replication_summary.blacklist. =

* Blacklist files to be excluded from configuration replication summaries.

And our default values:

/opt/splunk/etc/system/default/server.conf conf_deploy_repository = $SPLUNK_HOME/etc/shcluster 
/opt/splunk/etc/system/default/server.conf conf_deploy_staging = $SPLUNK_HOME/var/run/splunk/deploy 
/opt/splunk/etc/system/default/server.conf conf_replication_include.alert_actions = true 
/opt/splunk/etc/system/default/server.conf conf_replication_include.collections = true 
/opt/splunk/etc/system/default/server.conf conf_replication_include.commands = true 
/opt/splunk/etc/system/default/server.conf conf_replication_include.datamodels = true 
/opt/splunk/etc/system/default/server.conf conf_replication_include.event_renderers = true 
/opt/splunk/etc/system/default/server.conf conf_replication_include.eventtypes = true 
/opt/splunk/etc/system/default/server.conf conf_replication_include.fields = true 
/opt/splunk/etc/system/default/server.conf conf_replication_include.history = false 
/opt/splunk/etc/system/default/server.conf conf_replication_include.html = true 
/opt/splunk/etc/system/default/server.conf conf_replication_include.literals = true 
/opt/splunk/etc/system/default/server.conf conf_replication_include.lookups = true 
/opt/splunk/etc/system/default/server.conf conf_replication_include.macros = true 
/opt/splunk/etc/system/default/server.conf conf_replication_include.manager = true 
/opt/splunk/etc/system/default/server.conf conf_replication_include.models = true 
/opt/splunk/etc/system/default/server.conf conf_replication_include.multikv = true 
/opt/splunk/etc/system/default/server.conf conf_replication_include.nav = true 
/opt/splunk/etc/system/default/server.conf conf_replication_include.panels = true 
/opt/splunk/etc/system/default/server.conf conf_replication_include.props = true 
/opt/splunk/etc/system/default/server.conf conf_replication_include.quickstart = true 
/opt/splunk/etc/system/default/server.conf conf_replication_include.savedsearches = true 
/opt/splunk/etc/system/default/server.conf conf_replication_include.searchbnf = true 
/opt/splunk/etc/system/default/server.conf conf_replication_include.searchscripts = true 
/opt/splunk/etc/system/default/server.conf conf_replication_include.segmenters = true 
/opt/splunk/etc/system/default/server.conf conf_replication_include.tags = true 
/opt/splunk/etc/system/default/server.conf conf_replication_include.times = true 
/opt/splunk/etc/system/default/server.conf conf_replication_include.transactiontypes = true 
/opt/splunk/etc/system/default/server.conf conf_replication_include.transforms = true 
/opt/splunk/etc/system/default/server.conf conf_replication_include.ui-prefs = true 
/opt/splunk/etc/system/default/server.conf conf_replication_include.ui-tour = true 
/opt/splunk/etc/system/default/server.conf conf_replication_include.user-prefs = true 
/opt/splunk/etc/system/default/server.conf conf_replication_include.views = true 
/opt/splunk/etc/system/default/server.conf conf_replication_include.viewstates = true 
/opt/splunk/etc/system/default/server.conf conf_replication_include.workflow_actions = true 
/opt/splunk/etc/system/default/server.conf conf_replication_summary.blacklist.lookup_index = (system|(apps/*)|users(/_reserved)?/*/*)/lookups/*.(tmp$|index($|/...)) 
/opt/splunk/etc/system/default/server.conf conf_replication_summary.whitelist.lookups = (system|(apps/*)|users(/_reserved)?/*/*)/lookups/* 
/opt/splunk/etc/system/default/server.conf conf_replication_summary.whitelist.refine.local = (system|(apps/*)|users(/_reserved)?/*/*)/(local/...|metadata/local.meta) 
/opt/splunk/etc/system/default/server.conf conf_replication_summary.whitelist.repo = system/replication/*.json 
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...