Deployment Architecture

How do I get a script pushed to all forwarders via deployment server?

robp
Engager

I have 200+ light forwarders. I use deployment servers to manage their configuration. Can I use the deployment server to push bash script that needs to be located in $SPLUNK_HOME/etc/system/bin to each system?

Tags (2)

Lowell
Super Champion

You may be able to leverage something from a script posted here:

It's a hackish approach, but it can work. It does demonstrate the "run-once" principle, but it would be slightly different (probably simpler) in your case.

oreoshake
Communicator

Not that this is a good idea...but couldn't you push a script to etc/apps/APP/bin that copies itself or another file to etc/system/bin? Just have it run once, then remove it. I've thought about using this strategy to push things to dirs outside of etc/apps but I haven't found a NEED to do so. This is a potentially damaging scenario.

gkanapathy
Splunk Employee
Splunk Employee

No. However, you can use it to push to any $SPLUNK_HOME/etc/apps/MYAPP/bin folder. I can't think of anything that must reside in etc/system/bin that can not also work if it is located in an app's bin folder, so this might be a solution for you.

gkanapathy
Splunk Employee
Splunk Employee

That is incorrect. Scripts can be called from etc/apps/MYAPP/bin/. They can be called from their own app, or globally if they are exported correctly in the metadata/local.meta file.

0 Karma

robp
Engager

My understanding of scripts is that they MUST be resident within the /etc/system/bin folder or they won't be called. Ideally, I could just call files on the filesystem. What I don't want to do is have the deployment server wipe-out the /bin directory with what the deployment server pushes out. I'm hoping to merge deployment server data with that directory, or have Splunk change the Script rules.

0 Karma
Get Updates on the Splunk Community!

Set Up More Secure Configurations in Splunk Enterprise With Config Assist

This blog post is part 3 of 4 of a series on Splunk Assist. Click the links below to see the other ...

Observability Highlights | November 2022 Newsletter

 November 2022Observability CloudEnd Of Support Extension for SignalFx Smart AgentSplunk is extending the End ...

Enterprise Security Content Update (ESCU) v3.54.0

The Splunk Threat Research Team (STRT) recently released Enterprise Security Content Update (ESCU) v3.54.0 and ...