Deployment Architecture

Can you help me make changes to the cluster nodes?

rung8
New Member

Hi,

I'm trying to configure changes to my slave nodes. I understand that on the master we have to go to the master apps local and copy files there and push the bundle. But, I was wondering since there is file order precedence, does Splunk look into each file for configurations? Or does it look into highest priority and go with that?

I'm wondering if I just push only one configuration instead of copying the entire default configuration and adding to that. Would the slave nodes still look into the default configuration? Or just the configs from the slave apps?

Thanks

0 Karma

prakash007
Builder

@rung8: I would do this, create a custom-app on your cluster-master and apply the bundle, in this way you have more control over the configurations you deploy and it's easy to manage...
1. ClusterMaster: $SPLUNK_HOME/etc/master-apps/customapp(with all configs in here)
NOTE:you can have multiple-custom apps based on the functionality(easy to differentiate and troubleshoot)
2. ClusterMaster:apply cluster bundle
3. Indexers(Peer-nodes): $SPLUNK_HOME/etc/slave-apps/customapp(downloaded here by default)
Follow this splunkdoc for more details...
https://docs.splunk.com/Documentation/Splunk/7.2.1/Indexer/Updatepeerconfigurations#Structure_of_the...

0 Karma

rung8
New Member

Thanks for your reply prakash007.

What would be the difference from creating the customapp directory and adding configuration files there compared to creating them inside $splunk_home/etc/master-apps/_cluster/local

0 Karma

prakash007
Builder

you will end up with all configs in one location($SPLUNK_HOME/etc/master_apps/_cluster/local), but with custom-apps...
for instance I create 2 different custom-apps like network_TA(props and transforms..etc)for my network gear,apache_TA(props and transforms..etc) for apache logs..
In that way it's easy to manage the configs based on functionality, at the end it's your preference 🙂

0 Karma

rung8
New Member

Ah I see. Thank you very much for this input. I can see how much more flexible it is when configured this way. I will try it out.

  • One more thing So when these files are created in custom apps. Does splunk still look into the default configuration? I read some resource that said only add what you need in the upper configuration. So based on that im assuming it still does. But then theres the question of what if there are configuration conflicts such as indexes.conf when defining an index.

I hope that makes sense and if you can clarify this it would be great! Thank you

0 Karma

prakash007
Builder

There are few configs that are not recommended to distribute through the bundle...
https://docs.splunk.com/Documentation/Splunk/7.2.1/Indexer/Updatepeerconfigurations#Settings_that_yo...

How the file precedence works..
http://docs.splunk.com/Documentation/Splunk/7.2.1/Admin/Wheretofindtheconfigurationfiles#Precedence_...

Coming to conflicts, it depends on your orchestration when you make any changes to configs.

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...