Deployment Architecture

How do I make changes to server.conf?

brent_weaver
Builder

I need to make some changes and Splunk proServe tells me that I can use the deployment server to make this change. How is this done outside of the ../etc/systemp/local/ dir? Bundle it in an app? If so what about precedence?

Any guidance is appreciated!

0 Karma
1 Solution

woodcock
Esteemed Legend

Any configuration in $SPLUNK_HOME/etc/system/local/ is GOD and cannot be overridden by anything in $SPLUNK_HOME/etc/apps/ (the stuff that is pulled in from the Deployment Server). You have to migrate that stuff out of $SPLUNK_HOME/etc/system/local/ first (it never should have been put there).

View solution in original post

0 Karma

woodcock
Esteemed Legend

Any configuration in $SPLUNK_HOME/etc/system/local/ is GOD and cannot be overridden by anything in $SPLUNK_HOME/etc/apps/ (the stuff that is pulled in from the Deployment Server). You have to migrate that stuff out of $SPLUNK_HOME/etc/system/local/ first (it never should have been put there).

0 Karma

brent_weaver
Builder

OK this is exactly what I thought, I appreciate your time!
Thanks everyone.

0 Karma

adonio
Ultra Champion

yes you will bundle configurations in an app.
splunk configuration precedence is*:
1. System local directory -- highest priority
2. App local directories
3. App default directories
4. System default directory -- lowest priority

hope it helps

0 Karma

ddrillic
Ultra Champion

Interesting thing. For /opt/splunk/etc/system/local/server.conf on the SH, for example, I make the changes on each SH and bounce each one. The deployment server only deploys to the forwarders...

0 Karma

adonio
Ultra Champion

the deployment server can deploy to any non-clustered splunk instance
Indexer, Search Head, Heavy Forwarder and more
also, it can not deploy to itself

0 Karma
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

WATCH NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If exploited, ...

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...