Deployment Architecture

How to move single search head to deployment client

tkwaller_2
Communicator

Hello

I have a single search head that uses 2 indexers as peers, I want to make the search head a deployment client since this environment will not grow. I moved the non-default apps out of the SPLUNKHOME/apps/ directory. Leaving the default apps(with some customizations, like knowledge objects in the search app). When I move the non-default apps to the deployment server and have the search head connect and download the apps, all the default apps are overwritten. How can I accomplish this task without overwriting the default apps? Is this possible? I know I could probably create a a few more SH's and then cluster them and give them a master but that kinda defeats what I am trying to do, as I have several small environments I'd like to do this to with a single deployment server.

Essentially, several small environments that I only want to update the SH instance's app's from a single deployment server that uses seperate serverclasses depending on env.

Thanks for the thoughts!

0 Karma
1 Solution

dkeck
Influencer

Hi,

please be aware that in a Search Head Cluster you cannot use a Deployment Server to deploy apps, you will need another server called "Deployer", these are two different roles.

This beeing said, you can use a deployment server to push apps to a stand alone Search Head, but its not really pretty. Normaly you will have a lot of changes a your SH, since user will change searches, field extraction etc.

Another thing you will not be able to do as easy as normal is updating apps. You will have to upload the apps maunally to the /deployment-apps folder on the deploymentserver and you can´t just update them in the app overview on the SH.

"

When I move the non-default apps to
the deployment server and have the
search head connect and download the
apps, all the default apps are
overwritten"

hm this sounds weird though. If you just deploy "non-default" apps the default apps in etc/apps on the SH should not change. How do you see that they are changed?

David

View solution in original post

dkeck
Influencer

Hi,

please be aware that in a Search Head Cluster you cannot use a Deployment Server to deploy apps, you will need another server called "Deployer", these are two different roles.

This beeing said, you can use a deployment server to push apps to a stand alone Search Head, but its not really pretty. Normaly you will have a lot of changes a your SH, since user will change searches, field extraction etc.

Another thing you will not be able to do as easy as normal is updating apps. You will have to upload the apps maunally to the /deployment-apps folder on the deploymentserver and you can´t just update them in the app overview on the SH.

"

When I move the non-default apps to
the deployment server and have the
search head connect and download the
apps, all the default apps are
overwritten"

hm this sounds weird though. If you just deploy "non-default" apps the default apps in etc/apps on the SH should not change. How do you see that they are changed?

David

tkwaller_2
Communicator

Hello and thanks for the response. I understand how clusters work and have worked with very large cluster of search heads as well as indexers, of 100+ cluster members. I am however trying to get something else working. For this use case we have a standalone search head that we develop things on and we migrate that manually to a standalone search head prod environment. I would like to do this as a deployment push from a deployment server to the prod environment so it doesn't have to be manually touched. Users wont be able to edit any of the searches behind any of the dashboards they will have access to so things wont change unless changed by an admin and pushed out.

The problem is that, when in the dev env, I add the non-default apps to the deployment server and push the apps out the default apps are removed, like the search app.

Not sure why though.

Thanks
Todd

0 Karma

prakash007
Builder

@tkwaller_2: did you try to manage this single search-head via deployment server ever before, If it's deployment server is trying to override the apps...
go through this Splunk doc...
http://docs.splunk.com/Documentation/Splunk/7.2.1/Updating/Createdeploymentapps#App_management_issue...

you can have a serverclass defined for your custom apps on your deployment server,and I don't think that will override the default apps.
If possible remove the traces of deployment server on search-head(deployment client.conf) and re-enable it as a deployment client.

0 Karma

tkwaller_2
Communicator

Hello
I will mark your comment as the answer, Im sure its something thats caused by us and not Splunk. Not sure why though. It still deletes all apps that arent deployed via the deployment server, including the default apps.

This may not work for my sue case but I thought it would so it was worth trying.

Thanks for the assistance

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...