Deployment Architecture

I don´t understand how the deployment server works

tpaulsen
Contributor

Hello, i seem to have a basic missunderstanding how the Splunk 4.1.3 Deployment Server works. I want to deploy a simple inputs.conf to a group of Splunk Forwarder.

I did already the following:

1.) Setup a Deployment Server (same as my searchhead)

2.) Defined serverclass.conf:

[serverClass:PUC-Linux-LWF]
filterType = whitelist
repositoryLocation = /opt/splunk-searchhead/splunk/etc/deployment-apps/PUC-Linux-LWF
whitelist.0 = *

3.) Enabled the deployment clients (as described). Handshaking is working:

*lfrprax@splunk-a:/opt/splunk-searchhead/splunk/bin# ./splunk list deploy-clients

Deployment client: ip=10.111.128.98, dns=splunk-a.puc.ov.otto.de, hostname=splunk-a, mgmt=8589, build=80534, name=deploymentClient, id=connection_10.111.128.98_8589_splunk-a.puc.ov.otto.de_splunk-a_deploymentClient, utsname=linux-x86_64
                 utsname:       linux-x86_64
                 name:       deploymentClient
                 ip:       10.111.128.98
                 hostname:       splunk-a
                 build:       80534
                 dns:       splunk-a.puc.ov.otto.de
                 mgmt:       8589
                 phoneHomeTime:       Thu Aug 12 19:26:39 2010
                 id:       connection_10.111.128.98_8589_splunk-a.puc.ov.otto.de_splunk-a_deploymentClient*

4.) Created the directories and the inputs.conf that i want to distribute:

*lfrprax@splunk-a:/opt/splunk-searchhead/splunk/etc/deployment-apps/PUC-Linux-LWF/default# cat inputs.conf
[monitor://$SPLUNK_HOME/var/log/splunk]
disabled = 1
index = idx_dev_splunk

#TEST*

5.) Reloading Deploy-Server:

*lfrprax@splunk-a:/opt/splunk-searchhead/splunk/bin# ./splunk reload deploy-server
Reloading server classes (and checking for any new or removed classes).*

Here´s my question...where is the new inputs.conf on my deployment client? I can´t find it!???

Please, help.

Tags (1)
1 Solution

ziegfried
Influencer

You'll need to define your server class an app this way in your serverclass.conf:

[serverClass:PUC-Linux-LWF]
filterType = whitelist
whitelist.0 = *

[serverClass:PUC-Linux-LWF:app:PUC-Linux-LWF]
stateOnClient=enabled

Then the distribution of the configuration should work.

The configuation will appear in $SPLUNK_HOME/etc/apps/PUC-Linux-LWF/default/inputs.conf

EDIT:

For troubleshooting deployment install-failures, this search was quite handy in the past:

index="_internal" sourcetype="splunkd" component="DeploymentMetrics" | rename scName as serverClass fqname as install_location hostname as deploymentClient | table _time deploymentClient ip serverClass appName event status reason install_location

View solution in original post

ziegfried
Influencer

You'll need to define your server class an app this way in your serverclass.conf:

[serverClass:PUC-Linux-LWF]
filterType = whitelist
whitelist.0 = *

[serverClass:PUC-Linux-LWF:app:PUC-Linux-LWF]
stateOnClient=enabled

Then the distribution of the configuration should work.

The configuation will appear in $SPLUNK_HOME/etc/apps/PUC-Linux-LWF/default/inputs.conf

EDIT:

For troubleshooting deployment install-failures, this search was quite handy in the past:

index="_internal" sourcetype="splunkd" component="DeploymentMetrics" | rename scName as serverClass fqname as install_location hostname as deploymentClient | table _time deploymentClient ip serverClass appName event status reason install_location

tpaulsen
Contributor

Ok, i found also out, that for more than one forwarder i have to create more whitelist entries.

E.g.:

This entry:

whitelist.0 = blade583.puc.ov.otto.de, blade488.puc.ov.otto.de

...is not working.

If I use this:

whitelist.0 = blade583.puc.ov.otto.de
whitelist.1 = blade488.puc.ov.otto.de

...it is working.

How can i add 80+ forwarder entries to the whitelist?

0 Karma

tpaulsen
Contributor

I deleted the deployment app repository and recreated it manually, as well as edited the serverclass.conf manually. Now it is working!

0 Karma

tpaulsen
Contributor

Ok...support suggested to delete the entire apps and recreate them manually. i did that...and it works now!

0 Karma

tpaulsen
Contributor

I did that, but the inputs.conf does not get distributed. Must be something simple i am missing?

0 Karma

tpaulsen
Contributor

thank you, i´ll give it a try.

0 Karma

gkanapathy
Splunk Employee
Splunk Employee

ziegfried's answer is basically right. You have to define an app containing the configurations, and specify the app under the serverClass definition.

0 Karma

ziegfried
Influencer

you could try running the search I've added to the answer on your deployment server

0 Karma

tpaulsen
Contributor

Even more...i found out the deployment server is creating a temp directory here:

$SPLUNK_HOME/var/run/tmp/PUC-Linux-LWF

But that is also empty.

Why is it not transmitting my inputs.conf????

0 Karma

tpaulsen
Contributor

Ok...i found out that the deployment client is indeed creating a subdirectory here:

$SPLUNK_HOME/var/run/PUC-Linux-LWF

But the directory is empty. No sight of the inputs.conf.

0 Karma

tpaulsen
Contributor

Not working, sorry.

0 Karma

tpaulsen
Contributor

Could it be that it is not working, since i use the searchhead as deployment server, which is using only a splunk forwarder license?

0 Karma

tpaulsen
Contributor

Sorry, still not working.

Maybe i have to define the targetRepositoryLocation?

Or is the problem that my target Splunkforwarder is using a different management port?

I´ll open a support ticket.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...