Deployment Architecture

How do I push an app to the Search Head Deployer's shcluster/ directory?

eroffol
Path Finder

I know I would run splunk apply shcluster-bundle on the Search Head Deployer to push apps to Search Head Cluster Members. The apps that get pushed are located under the shcluster/ directory on the Search Head Deployer.

I also know that when I create a new app (using the SPLUNK web UI), the app is put in the etc/apps/ directory on a Search Head Cluster Member. How does that app then get to the Search Head Deployer's shcluster/ directory?
Do I manually have to put it there? Should it automatically go there? Or is there a command-line command I have to run to get it there?

1 Solution

masonmorales
Influencer

You have to manually put it there.

View solution in original post

0 Karma

matthewpearce
Explorer

I have done the following:

Created basic APP framework through the WEB-GUI on a standalone Search Head. Then found found the APP files which the GUI created here: /apps/splunk/etc/apps/myapp

Tar up that directory:
cd /apps/splunk/etc/apps; tar cvf myapp.tar myapp

Transfer and untar myapp.tar to your search head deployer to this directory /apps/splunk/etc/shcluster/apps.

Once you have /apps/splunk/etc/shcluster/apps/myapps on your deployer, then run "shcluster-apply stage" and "shcluster-apply send" to update your search head cluster.

I found if I tried to create through the Search Head Cluster WEB-GUI, the updates are not replicated properly between the cluster nodes.

I'm guessing this is the manual method as mentioned above. I've haven't yet found a more efficient way to do this.

0 Karma

robjackson
Path Finder

How do you push apps from the Web UI. You can install apps from the UI which is nice, But it does not help if you cannot also push from UI.

We do not have access to run the UNIX commands. To get an app installed via the CLI would take a long time.

0 Karma

pchiem
New Member

Since then we added more feature to the code and create an splunk addon which run as splunk app. Setting permission on the meta to only allow admin for visible and RW. Now we can do everything from stop/start/restart deployment server or search head cluster via the splunk UI. We can also create new splunk apps and push to any environment and apply cluster reload from the same UI. With this splunk admin no longer need to logon to the unix server to do splunk cli.

High level -
We took one of the searchhead convert it as splunk admin that will do all administrator task. Like push git to all deployment server and reload via the UI. We also create a pre-can splunk app template, with all the necessity for barebone app to run. We have a python script that will modify local.meta, app.conf, a dashboard focus on the team data. We create a dashboard call " create new app " that call to the custom script with a set of parameter from dashboard textbox. Similar to the splunk app creation, only different is that we added option to push the new app to test, dev, prod searchhead cluster. Sorry for any confusion as I am trying to keep it at high level, please PM me if you need more clarity.

0 Karma

pchiem
New Member

If you have git, you can do is create a simple python that do git pull the app into shcluster, and also do an apply after the pull. There are git module out there you can use. Here is a quick simple one that I wrote up awhile back to do the cluster apply.

Something like this ---

...

def dirsWalkSHCluster():

dirwalk = os.listdir( shcluster_Path )
#print dirwalk
print "Updating Search Head Cluster apps"

for file in dirwalk:
    if not file.startswith('.'):
        if not file.startswith('README'):
            if not file.startswith('splunk_admin_app'):
                if not file.startswith('sentinel.txt'):
                    joinpath = os.path.join(shcluster_Path, file)
                    os.chdir( joinpath )

                    ## Git Process
                    git_process = subprocess.Popen(["git", "pull", "origin", "master"], stdout=subprocess.PIPE, stderr=subprocess.STDOUT)
                    processOutput = git_process.communicate()[0]

                    print "datetime="+now + " " + " " + "gitrepo="+file + " " + "message="+processOutput

## Apply Search Head Cluster changes
splunkCommand = ("sudo /opt/splunk/bin/./splunk apply shcluster-bundle --answer-yes -target https://%s:8089 -auth git_deploy:git_deploy_pw") %(searchhead)
splunkOutput = subprocess.Popen(splunkCommand, stdout=subprocess.PIPE, stderr=subprocess.STDOUT, shell=True)
msgOut = splunkOutput.communicate()[0]
print "datetime="+now + " " + "command_run=Reload SHCluster" + " " + " " + "message=" +msgOut

run the script as splunk user, in sudoers file only allow splunk to run splunk command and you can specific with command. You can probably obscure the pw too.

0 Karma

clfits
New Member

Way to go! nice script - mine looks similar. the only thing that really sucks is that you need the "admin_all_objects" capability to apply the cluster-bundle or call the REST endpoint:
(action=admin_all_objects, info=denied REST: /apps/deploy)
So you need to have a user with admin rights and the password standing in an script or if you use the cli even in the command history if you did not use login/logoff.

😕

0 Karma

masonmorales
Influencer

You have to manually put it there.

0 Karma

somesoni2
Revered Legend

The newly created app on SHC member will not be replicated to other SHC member and Deployer. You'd have to manually create the new app folder on the Deployer and push the SHC bundle (using the command you mentioned in the question) to have the new app available for use in SHC members. You can use the folder/structure for the app template "barebones" (will need to update the app.conf for names).

0 Karma

eroffol
Path Finder

Well that answers my question then, thank you!

I was hoping that I would be able to log into the SHC member and run some sort of "push" command to have it replicate on the Search Head Deployer. Manual FTP is always fun though =/

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...