Deployment Architecture

Can you help me make changes to the cluster nodes?

New Member

Hi,

I'm trying to configure changes to my slave nodes. I understand that on the master we have to go to the master apps local and copy files there and push the bundle. But, I was wondering since there is file order precedence, does Splunk look into each file for configurations? Or does it look into highest priority and go with that?

I'm wondering if I just push only one configuration instead of copying the entire default configuration and adding to that. Would the slave nodes still look into the default configuration? Or just the configs from the slave apps?

Thanks

0 Karma

Builder

@rung8: I would do this, create a custom-app on your cluster-master and apply the bundle, in this way you have more control over the configurations you deploy and it's easy to manage...
1. ClusterMaster: $SPLUNKHOME/etc/master-apps/customapp(with all configs in here)
NOTE:you can have multiple-custom apps based on the functionality(easy to differentiate and troubleshoot)
2. ClusterMaster:apply cluster bundle
3. Indexers(Peer-nodes): $SPLUNK
HOME/etc/slave-apps/customapp(downloaded here by default)
Follow this splunkdoc for more details...
https://docs.splunk.com/Documentation/Splunk/7.2.1/Indexer/Updatepeerconfigurations#Structureoftheconfigurationbundle

0 Karma

New Member

Thanks for your reply prakash007.

What would be the difference from creating the customapp directory and adding configuration files there compared to creating them inside $splunkhome/etc/master-apps/cluster/local

0 Karma

Builder

you will end up with all configs in one location($SPLUNKHOME/etc/masterapps/cluster/local), but with custom-apps...
for instance I create 2 different custom-apps like network
TA(props and transforms..etc)for my network gear,apache_TA(props and transforms..etc) for apache logs..
In that way it's easy to manage the configs based on functionality, at the end it's your preference 🙂

0 Karma

New Member

Ah I see. Thank you very much for this input. I can see how much more flexible it is when configured this way. I will try it out.

  • One more thing So when these files are created in custom apps. Does splunk still look into the default configuration? I read some resource that said only add what you need in the upper configuration. So based on that im assuming it still does. But then theres the question of what if there are configuration conflicts such as indexes.conf when defining an index.

I hope that makes sense and if you can clarify this it would be great! Thank you

0 Karma

Builder

There are few configs that are not recommended to distribute through the bundle...
https://docs.splunk.com/Documentation/Splunk/7.2.1/Indexer/Updatepeerconfigurations#Settingsthatyoushouldnotdistributethroughtheconfiguration_bundle

How the file precedence works..
http://docs.splunk.com/Documentation/Splunk/7.2.1/Admin/Wheretofindtheconfigurationfiles#Precedenceforclusterpeernodes

Coming to conflicts, it depends on your orchestration when you make any changes to configs.

0 Karma