Deployment Architecture

Deployment Server not pushing apps to clients

Explorer

I currently have Splunk 5.0.1 and am unable to get the deployment server to push apps. The server class has been defined and the folder containing the apps created, however for some reason it just will not upload the packages. Right now I am trying to use the Exchange TA's for testing.

I have restarted the Splunk server and the Splunk universal forwarder on the other end as well with no luck.

The serverclass.conf contains:

[global]

targetRepositoryLocation = C:\Program Files\SplunkUniversalForwarder\etc\apps\

[serverClass:Global SEP Servers]

filterType = whitelist
repositoryLocation = C:\Splunk\deployment-apps\Corp_SEP\
whitelist.0 = -SEP-

The deploymentclient.conf file contains just an entry for [target-broker:deploymentServer]

I am sure I am missing something simply, but any help would be greatly appreciated.

0 Karma
1 Solution

Path Finder

You will need to define what apps should be shipped at the end of your serverClass for sure.

[serverClass:Global SEP Servers]
whitelist.0 = ServerX
[serverClass:Global SEP Servers:app:APP1]
[serverClass:Global SEP Servers:app:APP2]
[serverClass:Global SEP Servers:app:APP3]
[serverClass:Global SEP Servers:app:APP4]
[serverClass:Global SEP Servers:app:APP5]

You can remove the targetRepositoryLocation since that is the default but if you want to keep it there it should look like C:\Program Files\SplunkUniversalForwarder\etc\apps\

(I dont identify it because I have a large ammount of unix hosts as well)

Splunk reload deploy-server and check if your apps ship

View solution in original post

Path Finder

You will need to define what apps should be shipped at the end of your serverClass for sure.

[serverClass:Global SEP Servers]
whitelist.0 = ServerX
[serverClass:Global SEP Servers:app:APP1]
[serverClass:Global SEP Servers:app:APP2]
[serverClass:Global SEP Servers:app:APP3]
[serverClass:Global SEP Servers:app:APP4]
[serverClass:Global SEP Servers:app:APP5]

You can remove the targetRepositoryLocation since that is the default but if you want to keep it there it should look like C:\Program Files\SplunkUniversalForwarder\etc\apps\

(I dont identify it because I have a large ammount of unix hosts as well)

Splunk reload deploy-server and check if your apps ship

View solution in original post

Explorer

Thanks, worked like a charm. I must have missed that in the instructions.

0 Karma

Splunk Employee
Splunk Employee

It's pull, not push, and you haven't told the members of the SEP servers to pull anything. The repositoryLocation setting is for the parent directory of the apps, not an individual app to send. You probably want C:\Splunk\deployment-apps. (But typically, this folder in a default install lives in an "etc" subfolder of the Splunk home directory.)

Next, you need a line that says "for this class, send this app":

[serverClass:Global SEP Servers:app:Corp_SEP]

Then run splunk reload deploy-server, and watch the clients.

Also, if this app contains inputs.conf or outputs.conf definitions, you'll need to restart the Splunk service on the forwarder after the app arrives. You can do this with the restartSplunkd flag in serverclass.conf.

Explorer

Sorry I should clarify, the base directory for apps on this Server Class is C:\Splunk\deployment-apps\Corp_SEP\. I have placed folders under that that contain the actual apps to be deployed.

0 Karma
Don’t Miss Global Splunk
User Groups Week!

Free LIVE events worldwide 2/8-2/12
Connect, learn, and collect rad prizes
and swag!