Solved: Deployment: Updating text file for collection scri...

MHibbin · ‎12-05-2012

Hi,

I just wanted to confirm something...

I have a deployment set up, where the deployment server maintains list of hosts in a text files, called hosts.txt, which differ based on the forwarder. These files and their parent deployment-apps are distributed as expected to the relevant forwarders (based on whitelisting). The hosts.txt file are referenced by a python script, which is configured as a scripted input.

The deployment update/reload process seems to work fine, apart from one aspect, the python script does not seem to read the updates in the file until after a reboot. To expand on this...

If, for example, I add the line 1.2.3.4 to the hosts.txt file in the deployment-app, foo (i.e. $SPLUNK_HOME/etc/deployment-apps/foo), and reload the deployment (as @dart points out using the ./splunk reload deploy-server command). I will see the updated list on the forwarder under $SPLUNK_HOME/etc/apps/foo, however the script will not "see" the new entry (i.e. "1.2.3.4") until I restart Splunk on the forwarder.

When I had this python script/hosts file combo working on a single server in test, it worked fine. And the script would pick up the update on the next interval cycle. I'm just wondering why I now have to reboot.

Has anyone any thoughts on this?

Cheers,

MHibbin

MHibbin · ‎12-12-2012

Okay so my work around to avoid restarting Splunk each time a new host is added was to write the updates to a seperate deployment-app.. So two apps get sent out, one containing the collection script, one containing the the hosts file. This appears to work without requiring a restart.

View solution in original post

MHibbin · ‎12-12-2012

Okay so my work around to avoid restarting Splunk each time a new host is added was to write the updates to a seperate deployment-app.. So two apps get sent out, one containing the collection script, one containing the the hosts file. This appears to work without requiring a restart.

MHibbin · ‎12-05-2012

I have used restartSplunkd since I noticed the scripted input wasn't picking up the change, and it does work, however I was just curious if there was something I should be looking out for. I haven't really looked into modular inputs (or splunk 5) as the time left for this particular project is running out very soon.

dart · ‎12-05-2012

also have you considered adding a modular input for your script?

dart · ‎12-05-2012

Do you have restartSplunkd set to true?

MHibbin · ‎12-05-2012

@dart, I re-read my question, and have subsequently updated it (all), so that it makes sense to everyone else, and not just myself. The "hosts file" is a file I use to maintain list of hosts to be used by a scripted input for data collection, which may need to change at various points in the future.. So I use the hosts file to avoid "hard-coding" anything.

dart · ‎12-05-2012

what's the hosts file you're refering to? if it's deploymentclasses.conf, you need to do a splunk reload deploy-server to get the new definitions

Deployment: Updating text file for collection script

What's New in Splunk Enterprise 9.4: Features to Power Your Digital Resilience

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

SignalFlow: What? Why? How?