Deployment Architecture

Deployment: Updating text file for collection script

MHibbin
Influencer

Hi,

I just wanted to confirm something...

I have a deployment set up, where the deployment server maintains list of hosts in a text files, called hosts.txt, which differ based on the forwarder. These files and their parent deployment-apps are distributed as expected to the relevant forwarders (based on whitelisting). The hosts.txt file are referenced by a python script, which is configured as a scripted input.

The deployment update/reload process seems to work fine, apart from one aspect, the python script does not seem to read the updates in the file until after a reboot. To expand on this...

If, for example, I add the line 1.2.3.4 to the hosts.txt file in the deployment-app, foo (i.e. $SPLUNK_HOME/etc/deployment-apps/foo), and reload the deployment (as @dart points out using the ./splunk reload deploy-server command). I will see the updated list on the forwarder under $SPLUNK_HOME/etc/apps/foo, however the script will not "see" the new entry (i.e. "1.2.3.4") until I restart Splunk on the forwarder.

When I had this python script/hosts file combo working on a single server in test, it worked fine. And the script would pick up the update on the next interval cycle. I'm just wondering why I now have to reboot.

Has anyone any thoughts on this?

Cheers,

MHibbin

Tags (1)
0 Karma
1 Solution

MHibbin
Influencer

Okay so my work around to avoid restarting Splunk each time a new host is added was to write the updates to a seperate deployment-app.. So two apps get sent out, one containing the collection script, one containing the the hosts file. This appears to work without requiring a restart.

View solution in original post

0 Karma

MHibbin
Influencer

Okay so my work around to avoid restarting Splunk each time a new host is added was to write the updates to a seperate deployment-app.. So two apps get sent out, one containing the collection script, one containing the the hosts file. This appears to work without requiring a restart.

0 Karma

MHibbin
Influencer

I have used restartSplunkd since I noticed the scripted input wasn't picking up the change, and it does work, however I was just curious if there was something I should be looking out for. I haven't really looked into modular inputs (or splunk 5) as the time left for this particular project is running out very soon.

0 Karma

dart
Splunk Employee
Splunk Employee

also have you considered adding a modular input for your script?

0 Karma

dart
Splunk Employee
Splunk Employee

Do you have restartSplunkd set to true?

0 Karma

MHibbin
Influencer

@dart, I re-read my question, and have subsequently updated it (all), so that it makes sense to everyone else, and not just myself. The "hosts file" is a file I use to maintain list of hosts to be used by a scripted input for data collection, which may need to change at various points in the future.. So I use the hosts file to avoid "hard-coding" anything.

0 Karma

dart
Splunk Employee
Splunk Employee

what's the hosts file you're refering to? if it's deploymentclasses.conf, you need to do a splunk reload deploy-server to get the new definitions

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...