Solved: How do I push an app to the Search Head Deployer's...

eroffol · ‎09-01-2016

I know I would run splunk apply shcluster-bundle on the Search Head Deployer to push apps to Search Head Cluster Members. The apps that get pushed are located under the shcluster/ directory on the Search Head Deployer.

I also know that when I create a new app (using the SPLUNK web UI), the app is put in the etc/apps/ directory on a Search Head Cluster Member. How does that app then get to the Search Head Deployer's shcluster/ directory?
Do I manually have to put it there? Should it automatically go there? Or is there a command-line command I have to run to get it there?

masonmorales · ‎09-01-2016

You have to manually put it there.

View solution in original post

matthewpearce · ‎10-11-2017

I have done the following:

Created basic APP framework through the WEB-GUI on a standalone Search Head. Then found found the APP files which the GUI created here: /apps/splunk/etc/apps/myapp

Tar up that directory:
cd /apps/splunk/etc/apps; tar cvf myapp.tar myapp

Transfer and untar myapp.tar to your search head deployer to this directory /apps/splunk/etc/shcluster/apps.

Once you have /apps/splunk/etc/shcluster/apps/myapps on your deployer, then run "shcluster-apply stage" and "shcluster-apply send" to update your search head cluster.

I found if I tried to create through the Search Head Cluster WEB-GUI, the updates are not replicated properly between the cluster nodes.

I'm guessing this is the manual method as mentioned above. I've haven't yet found a more efficient way to do this.

robjackson · ‎02-24-2017

How do you push apps from the Web UI. You can install apps from the UI which is nice, But it does not help if you cannot also push from UI.

We do not have access to run the UNIX commands. To get an app installed via the CLI would take a long time.

pchiem · ‎02-24-2017

Since then we added more feature to the code and create an splunk addon which run as splunk app. Setting permission on the meta to only allow admin for visible and RW. Now we can do everything from stop/start/restart deployment server or search head cluster via the splunk UI. We can also create new splunk apps and push to any environment and apply cluster reload from the same UI. With this splunk admin no longer need to logon to the unix server to do splunk cli.

High level -
We took one of the searchhead convert it as splunk admin that will do all administrator task. Like push git to all deployment server and reload via the UI. We also create a pre-can splunk app template, with all the necessity for barebone app to run. We have a python script that will modify local.meta, app.conf, a dashboard focus on the team data. We create a dashboard call " create new app " that call to the custom script with a set of parameter from dashboard textbox. Similar to the splunk app creation, only different is that we added option to push the new app to test, dev, prod searchhead cluster. Sorry for any confusion as I am trying to keep it at high level, please PM me if you need more clarity.

pchiem · ‎01-16-2017

If you have git, you can do is create a simple python that do git pull the app into shcluster, and also do an apply after the pull. There are git module out there you can use. Here is a quick simple one that I wrote up awhile back to do the cluster apply.

Something like this ---

...

def dirsWalkSHCluster():

dirwalk = os.listdir( shcluster_Path )
#print dirwalk
print "Updating Search Head Cluster apps"

for file in dirwalk:
    if not file.startswith('.'):
        if not file.startswith('README'):
            if not file.startswith('splunk_admin_app'):
                if not file.startswith('sentinel.txt'):
                    joinpath = os.path.join(shcluster_Path, file)
                    os.chdir( joinpath )

                    ## Git Process
                    git_process = subprocess.Popen(["git", "pull", "origin", "master"], stdout=subprocess.PIPE, stderr=subprocess.STDOUT)
                    processOutput = git_process.communicate()[0]

                    print "datetime="+now + " " + " " + "gitrepo="+file + " " + "message="+processOutput

## Apply Search Head Cluster changes
splunkCommand = ("sudo /opt/splunk/bin/./splunk apply shcluster-bundle --answer-yes -target https://%s:8089 -auth git_deploy:git_deploy_pw") %(searchhead)
splunkOutput = subprocess.Popen(splunkCommand, stdout=subprocess.PIPE, stderr=subprocess.STDOUT, shell=True)
msgOut = splunkOutput.communicate()[0]
print "datetime="+now + " " + "command_run=Reload SHCluster" + " " + " " + "message=" +msgOut

run the script as splunk user, in sudoers file only allow splunk to run splunk command and you can specific with command. You can probably obscure the pw too.

clfits · ‎01-20-2017

Way to go! nice script - mine looks similar. the only thing that really sucks is that you need the "admin_all_objects" capability to apply the cluster-bundle or call the REST endpoint:
(action=admin_all_objects, info=denied REST: /apps/deploy)
So you need to have a user with admin rights and the password standing in an script or if you use the cli even in the command history if you did not use login/logoff.

😕

masonmorales · ‎09-01-2016

You have to manually put it there.

somesoni2 · ‎09-01-2016

The newly created app on SHC member will not be replicated to other SHC member and Deployer. You'd have to manually create the new app folder on the Deployer and push the SHC bundle (using the command you mentioned in the question) to have the new app available for use in SHC members. You can use the folder/structure for the app template "barebones" (will need to update the app.conf for names).

eroffol · ‎09-01-2016

Well that answers my question then, thank you!

I was hoping that I would be able to log into the SHC member and run some sort of "push" command to have it replicate on the Search Head Deployer. Manual FTP is always fun though =/

How do I push an app to the Search Head Deployer's shcluster/ directory?

What's New in Splunk Enterprise 9.4: Features to Power Your Digital Resilience

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

SignalFlow: What? Why? How?