Deployment Architecture

Deploy an app using deployment server and make searches globally available by default?

dave_duvall
Explorer

I have an "app" that I deploy with my 4.x deployment server. It sends savedsearches.conf, tags.conf, props.conf, eventtypes.conf and transforms.conf to my distributed indexers globally (I have 4 indexers - US, EMEA, Asia and Latin America). This ensures when I run a distributed search that I have appropriate tags, etc. in place on all indexers.

In the 3.x world these configs pushed without issue. In 4.x I get the configuration to the boxes but the savedsearches, eventtypes, etc for example are not globally available. Can I define the deployment-app in such a way as to make all objects accessible in all apps. Basically want them to behave as if they were created in the search app.

I have all my *.conf files in /opt/splunk/etc/deployment-apps/discovery_indexer/default on the deployment server and this ends up in /opt/splunk/etc/apps/discovery_indexer/default on my indexers.

I saw reference to configuring local.meta on this page http://www.splunk.com/base/Documentation/4.0.10/Admin/Apparchitectureandobjectownership but I wasn't sure if this applied to apps delivered via deployment manager or not and also I couldn't find any detailed syntax on local.meta

Tags (2)
0 Karma
1 Solution

Lowell
Super Champion

If you want everything globally available, simply put this in your local.meta file:

[]
export = system

I found this trick in one of splunk's apps and just copied it. It's the simplest way to go back to the old 3.x style, everything-is-global approach.


If you want to to be more explict, or have more fine-grained control, you can make just certain types of objects globally available. For example, you can enable access to tags and saved searches like this:

[savedsearches]
access = read : [ * ], write : [ admin ]
owner = nobody
export = system

[tags]
access = read : [ * ], write : [ admin ]
owner = nobody
export = system

View solution in original post

Lowell
Super Champion

If you want everything globally available, simply put this in your local.meta file:

[]
export = system

I found this trick in one of splunk's apps and just copied it. It's the simplest way to go back to the old 3.x style, everything-is-global approach.


If you want to to be more explict, or have more fine-grained control, you can make just certain types of objects globally available. For example, you can enable access to tags and saved searches like this:

[savedsearches]
access = read : [ * ], write : [ admin ]
owner = nobody
export = system

[tags]
access = read : [ * ], write : [ admin ]
owner = nobody
export = system

dave_duvall
Explorer

I went with your first suggestion and it worked like a charm. Thanks for throwing in the more detailed syntax as well.

0 Karma
Get Updates on the Splunk Community!

Splunk Security Content for Threat Detection & Response, Q1 Roundup

Join Principal Threat Researcher, Michael Haag, as he walks through:An introduction to the Splunk Threat ...

Splunk Life | Happy Pride Month!

Happy Pride Month, Splunk Community! 🌈 In the United States, as well as many countries around the ...

SplunkTrust | Where Are They Now - Michael Uschmann

The Background Five years ago, Splunk published several videos showcasing members of the SplunkTrust to share ...