- Community
- :
- Splunk Answers
- :
- Splunk Administration
- :
- Deployment Architecture
- :
- Deploy an app using deployment server and make sea...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have an "app" that I deploy with my 4.x deployment server. It sends savedsearches.conf, tags.conf, props.conf, eventtypes.conf and transforms.conf to my distributed indexers globally (I have 4 indexers - US, EMEA, Asia and Latin America). This ensures when I run a distributed search that I have appropriate tags, etc. in place on all indexers.
In the 3.x world these configs pushed without issue. In 4.x I get the configuration to the boxes but the savedsearches, eventtypes, etc for example are not globally available. Can I define the deployment-app in such a way as to make all objects accessible in all apps. Basically want them to behave as if they were created in the search app.
I have all my *.conf files in /opt/splunk/etc/deployment-apps/discovery_indexer/default on the deployment server and this ends up in /opt/splunk/etc/apps/discovery_indexer/default on my indexers.
I saw reference to configuring local.meta on this page http://www.splunk.com/base/Documentation/4.0.10/Admin/Apparchitectureandobjectownership but I wasn't sure if this applied to apps delivered via deployment manager or not and also I couldn't find any detailed syntax on local.meta
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If you want everything globally available, simply put this in your local.meta file:
[] export = system
I found this trick in one of splunk's apps and just copied it. It's the simplest way to go back to the old 3.x style, everything-is-global approach.
If you want to to be more explict, or have more fine-grained control, you can make just certain types of objects globally available. For example, you can enable access to tags and saved searches like this:
[savedsearches] access = read : [ * ], write : [ admin ] owner = nobody export = system [tags] access = read : [ * ], write : [ admin ] owner = nobody export = system
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If you want everything globally available, simply put this in your local.meta file:
[] export = system
I found this trick in one of splunk's apps and just copied it. It's the simplest way to go back to the old 3.x style, everything-is-global approach.
If you want to to be more explict, or have more fine-grained control, you can make just certain types of objects globally available. For example, you can enable access to tags and saved searches like this:
[savedsearches] access = read : [ * ], write : [ admin ] owner = nobody export = system [tags] access = read : [ * ], write : [ admin ] owner = nobody export = system
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I went with your first suggestion and it worked like a charm. Thanks for throwing in the more detailed syntax as well.
Splunk Security Content for Threat Detection & Response, Q1 Roundup
Splunk Life | Happy Pride Month!
SplunkTrust | Where Are They Now - Michael Uschmann
