Deployment Architecture
Highlighted

How to handle splunkbase apps with "[script::...]: stanzas in "inputs.conf" when deploying from Cluster Master in "master-apps" to "slave-apps"?

Esteemed Legend

How do you handle the fact that apps like Splunk_TA_nix and Splunk_TA_windows have relative paths like [script://./bin/df.sh] that will not resolve correctly when deployed by the Cluster Master via master-apps to slave-apps on the indexer and results in failure to run and errors like this:

04-18-2020 18:07:11.694 -0400 ERROR ExecProcessor - message from "/opt/splunk/etc/apps/Splunk_TA_nix/bin/df.sh" /bin/sh: /opt/splunk/etc/apps/Splunk_TA_nix/bin/df.sh: No such file or directory

What compounds it is that we also send these same apps to our UFs where they work fine as-is. Obviously the problem is that the relative path resolution code in splunkd is hard-coded to use $SPLUNK_HOME/etc/apps and with cluster master the apps are in $SPLUNK_HOME/etc/slave-apps/. It looks like Splunk may never fix it to be smarter, so we have to accommodate both ways. We are looking for the most portable and lightweight method. I can think of (and have tried) at least 3 ways but I don't really like any of them. What do you do? Is there any way to use the same inputs.conf file for Clustered Indexers and other nodes?

0 Karma
Highlighted

Re: How to handle splunkbase apps with "[script::...]: stanzas in "inputs.conf" when deploying from Cluster Master in "master-apps" to "slave-apps"?

Explorer

Hi @woodcock,

Since all these inputs are disabled by default, in any case, you will need to create an inputs.conf file to enable them. I would edit the script path while creating inputs in the app (i.e. orgallindexers_inputs ) that I create for input settings for indexers.

0 Karma
Highlighted

Re: How to handle splunkbase apps with "[script::...]: stanzas in "inputs.conf" when deploying from Cluster Master in "master-apps" to "slave-apps"?

New Member

I have the wrapper script have some knowledge of the possibility it may be in a different place. For example:

APPBASEDIR="${SPLUNK_HOME}/etc/apps/my_app_name"
# masters push out apps to etc/slave-apps on indexers
APPBASEDIRSLAVE="${SPLUNK_HOME}/etc/slave-apps/my_app_name"

...

if [[ ! -e ${APPBASEDIR} ]]; then
    log "Not deployed to ${APPBASEDIR}; checking for indexer deployment"
    if [[ -e ${APPBASEDIRSLAVE} ]]; then
        log "Updating basedir"
        APPBASEDIR=${APPBASEDIRSLAVE}
    else
        log "Unable to find deployment."
        exit 1
    fi
fi
0 Karma