Custom changes replicated

dilipbailwal · ‎05-11-2015

i have been trying to create a custom white list for Search Head Cluster Replication under one of the cluster member at "splunk_home/etc/system/local/server.conf ", but it seems not working.

Here is the content of server.conf

Custom changes replicated

conf_replication_include.web = true

where, i am trying to add web.conf to be replicated across. itself.. Even this file is located at "/splunk_home/etc/system/local/web.conf"

Also i did rolling restart after its default 5 second window did not replicated..
./splunk rolling-restart shcluster-members

hence still no sign of file getting replicated..

steven_swor · ‎06-14-2015

I've deployed several apps over the last couple weeks in a SHC environment, with extra configs that needed to be replicated. My experience so far has been that:

splunk rolling-restart shcluster-members does not cause the new replication configs to be loaded from server.conf
Once the extra replication configs have been properly loaded by all the cluster members, the replication is only triggered when you make changes via the web UI (e.g. if there already was a $SPLUNK_HOME/etc/system/local/web.conf, it won't be replicated until you change it again via the web UI)
If the app requires configuring a password as part of the setup process, the passwords may not be replicated across the search head cluster (even if the rest of the config file is replicated), so you have to log into each search head in the cluster and set the password explicitly. I saw this when setting up SA-ldapsearch, Splunk App for VMWare, and Splunk App for NetApp Data ONTAP.

The most reliable way I've found of ensuring the new conf_replication_include... settings are loaded properly has been to undeploy an app from the search head cluster and then redeploy it. On the deployer:

Move an app from $SPLUNK_HOME/etc/shcluster/apps to a temporary location
Run splunk apply shcluster-bundle ... to roll out the search head cluster apps
Move the app back into $SPLUNK_HOME/etc/shcluster/apps
run splunk apply shcluster-bundle ... again to redeploy the bundle

Note that this will trigger two rolling restarts of the search head cluster (one when you undeploy the app and one when you re-deploy it). After this is done, the replication settings should take effect the next time you make a change through the web interface.

As a best practice, I'd recommend creating a "poison pill" app on the deployer. The app itself has all the required folder structure and contents to be treated as a valid Splunk app, but it does nothing (e.g. no inputs, dashboards, saved searches, et cetera). You can undeploy and re-deploy it at-will, to trigger the restarts properly, without losing important configs from "real" apps.

dilipbailwal · ‎06-18-2015

All rite Steven, i am gonna give that a shot by creating a poison pill

dilipbailwal · ‎05-12-2015

it was case typo in question.. not the case with my config files on servers..

jtrucks · ‎05-12-2015

You should mark this answer as "Accepted" so people know what the answer was, as well as to get credit for answering your own question here. 🙂

--
Jesse Trucks
Minister of Magic

dilipbailwal · ‎05-13-2015

Its not the answer jtrucks.. and what i am trying to say here is, it was a typo on my question where server.conf was written in upper case.. which i have fixed and the main issue still exist..

jtrucks · ‎05-11-2015

I suspect these file names are case sensitive in the configuration, so rename your file server.conf instead of SERVER.CONF and try again.

--
Jesse Trucks
Minister of Magic

Custom whitelist for Search Head Cluster Replication

Custom changes replicated

Preparing your Splunk Environment for OpenSSL3

Unleash Unified Security and Observability with Splunk Cloud Platform

Splunk AppDynamics with Cisco Secure Application