Deployment Architecture
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to compare the .conf consistency across all nodes in a SHC ?

Glasses2
Communicator
‎02-10-2023 10:42 AM

Hi, 

Does anyone have a method or an app or query that can check and compare the confs between all SHC members?  

Perhaps there is a way with btool or rysnc.  

I was given a PS Tech Assessment App but it is not working correctly.  I don't think the PS Tech knew how to install it or use it.

Thank you

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Glasses2
Communicator
‎02-13-2023 07:47 AM

Admins Little Hepler for Splunk seems to work

https://splunkbase.splunk.com/app/6368

View solution in original post

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎02-10-2023 10:34 PM

Hi @Glasses2 ,

whwy do you want to compare conf files between SHC members?

All apps are replicated between them the only differences can be in $SPLUNK_HOME/etc/system/local.

Anyway, to extract configurations using btool it could be a good and easy approach.

in addition there's an app (sincerely that I never used!) called "Conf Inspactor" (https://splunkbase.splunk.com/app/3957) that probably solves your need.

Ciao.

Giuseppe

0 Karma
Reply
Solved! Jump to solution

Glasses2
Communicator
‎02-13-2023 06:20 AM

@gcusello 

Thank you for the reply and suggestion.

I agree with you about replication, however in my case, the shc was not replicating correctly.  The previous admin did not know what he was doing and others were restarting shc nodes individually causing corruption.

Specifically I was seeing transforms in the search app that were not replicating correctly.  As well the lookups were different across the shc nodes.

Its a real mess!

The PS assessment app has a conf checker but it is not working correctly and is probably missing a dependency.    I will try you suggestion and get back to you.  TY!

0 Karma
Reply
Solved! Jump to solution
Solution

Glasses2
Communicator
‎02-13-2023 07:47 AM

Admins Little Hepler for Splunk seems to work

https://splunkbase.splunk.com/app/6368

0 Karma
Reply
Solved! Jump to solution

Glasses2
Communicator
‎02-13-2023 08:31 AM

the conf-inspector has less functionality

https://splunkbase.splunk.com/app/3957

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎02-13-2023 08:17 AM

Hi @Glasses2,

good for you, anyway, when you'll consolidate your apps and lookups, deploy them again from the Deployer to have a clean configuration.

Ciao.

Giuseppe

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎02-13-2023 06:24 AM

Hi @Glasses2,

using btool you can identify differences in conf file, not differences in lookups, so maybe it could be a good idea to take all lookups, consolidate them in on lookup.

Then, for Conf files, take all the configurations using btool and consolidate them in a new app version for each app, then push apps and lookups from the Deployer.

Let me know if I could help you more.

Ciao.

Giuseppe

Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...