i have been trying to create a custom white list for Search Head Cluster Replication under one of the cluster member at "splunk_home/etc/system/local/server.conf ", but it seems not working.
Here is the content of server.conf
confreplicationinclude.web = true
where, i am trying to add web.conf to be replicated across. itself.. Even this file is located at "/splunk_home/etc/system/local/web.conf"
Also i did rolling restart after its default 5 second window did not replicated..
./splunk rolling-restart shcluster-members
hence still no sign of file getting replicated..
I suspect these file names are case sensitive in the configuration, so rename your file
server.conf instead of
SERVER.CONF and try again.
You should mark this answer as "Accepted" so people know what the answer was, as well as to get credit for answering your own question here. 🙂
Its not the answer jtrucks.. and what i am trying to say here is, it was a typo on my question where server.conf was written in upper case.. which i have fixed and the main issue still exist..
I've deployed several apps over the last couple weeks in a SHC environment, with extra configs that needed to be replicated. My experience so far has been that:
splunk rolling-restart shcluster-membersdoes not cause the new replication configs to be loaded from
$SPLUNK_HOME/etc/system/local/web.conf, it won't be replicated until you change it again via the web UI)
The most reliable way I've found of ensuring the new
conf_replication_include... settings are loaded properly has been to undeploy an app from the search head cluster and then redeploy it. On the deployer:
$SPLUNK_HOME/etc/shcluster/appsto a temporary location
splunk apply shcluster-bundle ...to roll out the search head cluster apps
splunk apply shcluster-bundle ...again to redeploy the bundle
Note that this will trigger two rolling restarts of the search head cluster (one when you undeploy the app and one when you re-deploy it). After this is done, the replication settings should take effect the next time you make a change through the web interface.
As a best practice, I'd recommend creating a "poison pill" app on the deployer. The app itself has all the required folder structure and contents to be treated as a valid Splunk app, but it does nothing (e.g. no inputs, dashboards, saved searches, et cetera). You can undeploy and re-deploy it at-will, to trigger the restarts properly, without losing important configs from "real" apps.