Deployment Architecture
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Can you help me make changes to the cluster nodes?

rung8
New Member
‎12-18-2018 11:10 AM

Hi,

I'm trying to configure changes to my slave nodes. I understand that on the master we have to go to the master apps local and copy files there and push the bundle. But, I was wondering since there is file order precedence, does Splunk look into each file for configurations? Or does it look into highest priority and go with that?

I'm wondering if I just push only one configuration instead of copying the entire default configuration and adding to that. Would the slave nodes still look into the default configuration? Or just the configs from the slave apps?

Thanks

0 Karma
Reply

prakash007
Builder
‎12-18-2018 11:36 AM

@rung8: I would do this, create a custom-app on your cluster-master and apply the bundle, in this way you have more control over the configurations you deploy and it's easy to manage...
1. ClusterMaster: $SPLUNK_HOME/etc/master-apps/customapp(with all configs in here)
NOTE:you can have multiple-custom apps based on the functionality(easy to differentiate and troubleshoot)
2. ClusterMaster:apply cluster bundle
3. Indexers(Peer-nodes): $SPLUNK_HOME/etc/slave-apps/customapp(downloaded here by default)
Follow this splunkdoc for more details...
https://docs.splunk.com/Documentation/Splunk/7.2.1/Indexer/Updatepeerconfigurations#Structure_of_the...

0 Karma
Reply

rung8
New Member
‎12-18-2018 11:45 AM

Thanks for your reply prakash007.

What would be the difference from creating the customapp directory and adding configuration files there compared to creating them inside $splunk_home/etc/master-apps/_cluster/local

0 Karma
Reply

prakash007
Builder
‎12-18-2018 11:57 AM

you will end up with all configs in one location($SPLUNK_HOME/etc/master_apps/_cluster/local), but with custom-apps...
for instance I create 2 different custom-apps like network_TA(props and transforms..etc)for my network gear,apache_TA(props and transforms..etc) for apache logs..
In that way it's easy to manage the configs based on functionality, at the end it's your preference 🙂

0 Karma
Reply

rung8
New Member
‎12-18-2018 01:04 PM

Ah I see. Thank you very much for this input. I can see how much more flexible it is when configured this way. I will try it out.

  • One more thing So when these files are created in custom apps. Does splunk still look into the default configuration? I read some resource that said only add what you need in the upper configuration. So based on that im assuming it still does. But then theres the question of what if there are configuration conflicts such as indexes.conf when defining an index.

I hope that makes sense and if you can clarify this it would be great! Thank you

0 Karma
Reply

prakash007
Builder
‎12-18-2018 01:37 PM

There are few configs that are not recommended to distribute through the bundle...
https://docs.splunk.com/Documentation/Splunk/7.2.1/Indexer/Updatepeerconfigurations#Settings_that_yo...

How the file precedence works..
http://docs.splunk.com/Documentation/Splunk/7.2.1/Admin/Wheretofindtheconfigurationfiles#Precedence_...

Coming to conflicts, it depends on your orchestration when you make any changes to configs.

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...