Deployment Architecture

Deployment app vanished

Builder

I am having an issue with the deployment server and I'm not sure what to make of this.

I recently learned about the deployment server and have been using it successfully for a couple weeks now. I have about five apps that are deployed across various AIX hosts.

This morning I created a new app named "echk". I deployed the app and it was deployed to the LightForwarder hosts as normal. Then about two minutes later the app vanished from each of the hosts. Poof! I tried to redeploy it but it doesn't appear to work.

I know it worked for those two minutes because the data was indexed.

I tried moving the app out of /splunk/etc/deployment-apps, then moving it back in. (Bouncing everything in between). It still won't re-deploy.

I don't see anything peculiar in the splunk logs on the indexer. In the forwarder logs I see this: 08-20-2010 09:54:00.422 WARN DeployedApplication - Uninstalling application: echk 08-20-2010 09:54:00.423 WARN DeployedApplication - Removing app at location: /splunk/etc/apps/echk

All other apps are fine. My serverclass.conf has not changed.

Has anyone seen behavior like this before?? How do I begin to resolve this??

0 Karma

Builder

I'm using 4.1.4. I restart Splunk after making any changes to the serverclass.conf file. I think I figured out the problem. lephino's question below prompted me to review my serverclass.conf file (again). Turns out I skipped a number. Apparently, that made a difference. Here's what happened:
whitelist.0=hosta
whitelist.1=hostb
whitelist.2=hostc
whitelist.4=hostd

whitelist.3 was missing. I re-numbered them and it fixed the problem. I'm surprised that was the issue...

0 Karma

Builder

Can you post your serverclass.conf? This seems like you have a whitelist/blacklist issue.

Builder

I would prefer not to post my serverclass.conf file as it reveals host names; our security team would be very cross if I did that. However, upon seeing your request, I triple-checked my serverclass.conf file and noticed an error. I described it in my comment above.
Thanks!

0 Karma

Splunk Employee
Splunk Employee

What version of Splunk are you using?

0 Karma

Splunk Employee
Splunk Employee

How are you mapping hosts in serverclass.conf? When you update serverclass.conf you do have to restart splunk but if you're only modifying files in $SPLUNK_HOME/etc/deployment-apps you can run a '$SPLUNK_HOME/bin/splunk reload deploy-server'

0 Karma