Deployment Architecture
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Deployment: Updating text file for collection script

MHibbin
Influencer
‎12-05-2012 08:43 AM

Hi,

I just wanted to confirm something...

I have a deployment set up, where the deployment server maintains list of hosts in a text files, called hosts.txt, which differ based on the forwarder. These files and their parent deployment-apps are distributed as expected to the relevant forwarders (based on whitelisting). The hosts.txt file are referenced by a python script, which is configured as a scripted input.

The deployment update/reload process seems to work fine, apart from one aspect, the python script does not seem to read the updates in the file until after a reboot. To expand on this...

If, for example, I add the line 1.2.3.4 to the hosts.txt file in the deployment-app, foo (i.e. $SPLUNK_HOME/etc/deployment-apps/foo), and reload the deployment (as @dart points out using the ./splunk reload deploy-server command). I will see the updated list on the forwarder under $SPLUNK_HOME/etc/apps/foo, however the script will not "see" the new entry (i.e. "1.2.3.4") until I restart Splunk on the forwarder.

When I had this python script/hosts file combo working on a single server in test, it worked fine. And the script would pick up the update on the next interval cycle. I'm just wondering why I now have to reboot.

Has anyone any thoughts on this?

Cheers,

MHibbin

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

MHibbin
Influencer
‎12-12-2012 01:40 PM

Okay so my work around to avoid restarting Splunk each time a new host is added was to write the updates to a seperate deployment-app.. So two apps get sent out, one containing the collection script, one containing the the hosts file. This appears to work without requiring a restart.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

MHibbin
Influencer
‎12-12-2012 01:40 PM

Okay so my work around to avoid restarting Splunk each time a new host is added was to write the updates to a seperate deployment-app.. So two apps get sent out, one containing the collection script, one containing the the hosts file. This appears to work without requiring a restart.

0 Karma
Reply
Solved! Jump to solution

MHibbin
Influencer
‎12-05-2012 01:21 PM

I have used restartSplunkd since I noticed the scripted input wasn't picking up the change, and it does work, however I was just curious if there was something I should be looking out for. I haven't really looked into modular inputs (or splunk 5) as the time left for this particular project is running out very soon.

0 Karma
Reply
Solved! Jump to solution

dart
Splunk Employee
Splunk Employee
‎12-05-2012 10:33 AM

also have you considered adding a modular input for your script?

0 Karma
Reply
Solved! Jump to solution

dart
Splunk Employee
Splunk Employee
‎12-05-2012 10:32 AM

Do you have restartSplunkd set to true?

0 Karma
Reply
Solved! Jump to solution

MHibbin
Influencer
‎12-05-2012 10:29 AM

@dart, I re-read my question, and have subsequently updated it (all), so that it makes sense to everyone else, and not just myself. The "hosts file" is a file I use to maintain list of hosts to be used by a scripted input for data collection, which may need to change at various points in the future.. So I use the hosts file to avoid "hard-coding" anything.

0 Karma
Reply
Solved! Jump to solution

dart
Splunk Employee
Splunk Employee
‎12-05-2012 09:43 AM

what's the hosts file you're refering to? if it's deploymentclasses.conf, you need to do a splunk reload deploy-server to get the new definitions

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Community Content Calendar, September edition

Welcome to another insightful post from our Community Content Calendar! We're thrilled to continue bringing ...

Splunkbase Unveils New App Listing Management Public Preview

Splunkbase Unveils New App Listing Management Public PreviewWe're thrilled to announce the public preview of ...

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...