Deployment Architecture

Deployment Server: Automated Reload/Push

MHibbin
Influencer

Hi All,

I have had a look through some Q&A on here, but haven't really seen much in the way of automation with regards to the Deployment Server... I hope I have not missed something blindingly obvious/stupid.

I have a use-case where regular changes happen within the deployment that need to be distributed to forwarders, mainly lists of hosts which need to be passed to a collection script. The user maintains this list from Splunkweb, with the help of a python script. In this script I have included a subprocess to call the "./splunk reload deploy-server" command, which is fine.

I was, however, wondering about having a script running in the background which does a periodic reload of the deployment server to confirm that all of the deployment is up-to-date, perhaps running every 5 minutes (perhaps).

Has anyone done anything similar to this?
Are there any pitfalls to watch out for?
Any reason why I shouldn't do this?

Thanks in advance,

MHibbin

Runals
Motivator

I think pitfalls depend on the scope of your overall deployment, how you handle change management, and how many people update content to be pushed via the deployment server. For example in my environment via 1 DS I manage all ~950 forwarders + my indexers + search heads. The indexers and SHs via the serverclass.conf aren't configured to automatically reboot when new data is pushed though I can adjust that depending on the time of day as I don't want to kick folks off the system during the normal production hours. At any rate easy enough to mitigate though something to keep in mind.

The other side of this would be how timely is it to make sure new data is coming into the system relative to changes (will data be lost after X minutes/hours?) and how often do your forwarders check in? It seems as though you've baked in a process to reload the DS when there is a user initiated update which should cover most updates(?). Every 5 minutes seems a bit excessive to me /shrug. I'd lead toward once a day maybe.

0 Karma

bmacias84
Champion

I know fschange is being deprecated, but Splunk still uses it for monitoring it internal files. Why not added your deloyment folder to fschange. Using a schedule search for any changes, on your specifed interval, to that folder kick off your macro to run reload deploy-server. Just an idea.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...