Deployment Architecture

I don´t understand how the deployment server works

Contributor

Hello, i seem to have a basic missunderstanding how the Splunk 4.1.3 Deployment Server works. I want to deploy a simple inputs.conf to a group of Splunk Forwarder.

I did already the following:

1.) Setup a Deployment Server (same as my searchhead)

2.) Defined serverclass.conf:

[serverClass:PUC-Linux-LWF]
filterType = whitelist
repositoryLocation = /opt/splunk-searchhead/splunk/etc/deployment-apps/PUC-Linux-LWF
whitelist.0 = *

3.) Enabled the deployment clients (as described). Handshaking is working:

*lfrprax@splunk-a:/opt/splunk-searchhead/splunk/bin# ./splunk list deploy-clients

Deployment client: ip=10.111.128.98, dns=splunk-a.puc.ov.otto.de, hostname=splunk-a, mgmt=8589, build=80534, name=deploymentClient, id=connection_10.111.128.98_8589_splunk-a.puc.ov.otto.de_splunk-a_deploymentClient, utsname=linux-x86_64
                 utsname:       linux-x86_64
                 name:       deploymentClient
                 ip:       10.111.128.98
                 hostname:       splunk-a
                 build:       80534
                 dns:       splunk-a.puc.ov.otto.de
                 mgmt:       8589
                 phoneHomeTime:       Thu Aug 12 19:26:39 2010
                 id:       connection_10.111.128.98_8589_splunk-a.puc.ov.otto.de_splunk-a_deploymentClient*

4.) Created the directories and the inputs.conf that i want to distribute:

*lfrprax@splunk-a:/opt/splunk-searchhead/splunk/etc/deployment-apps/PUC-Linux-LWF/default# cat inputs.conf
[monitor://$SPLUNK_HOME/var/log/splunk]
disabled = 1
index = idx_dev_splunk

#TEST*

5.) Reloading Deploy-Server:

*lfrprax@splunk-a:/opt/splunk-searchhead/splunk/bin# ./splunk reload deploy-server
Reloading server classes (and checking for any new or removed classes).*

Here´s my question...where is the new inputs.conf on my deployment client? I can´t find it!???

Please, help.

Tags (1)
1 Solution

Influencer

You'll need to define your server class an app this way in your serverclass.conf:

[serverClass:PUC-Linux-LWF]
filterType = whitelist
whitelist.0 = *

[serverClass:PUC-Linux-LWF:app:PUC-Linux-LWF]
stateOnClient=enabled

Then the distribution of the configuration should work.

The configuation will appear in $SPLUNK_HOME/etc/apps/PUC-Linux-LWF/default/inputs.conf

EDIT:

For troubleshooting deployment install-failures, this search was quite handy in the past:

index="_internal" sourcetype="splunkd" component="DeploymentMetrics" | rename scName as serverClass fqname as install_location hostname as deploymentClient | table _time deploymentClient ip serverClass appName event status reason install_location

View solution in original post

Influencer

You'll need to define your server class an app this way in your serverclass.conf:

[serverClass:PUC-Linux-LWF]
filterType = whitelist
whitelist.0 = *

[serverClass:PUC-Linux-LWF:app:PUC-Linux-LWF]
stateOnClient=enabled

Then the distribution of the configuration should work.

The configuation will appear in $SPLUNK_HOME/etc/apps/PUC-Linux-LWF/default/inputs.conf

EDIT:

For troubleshooting deployment install-failures, this search was quite handy in the past:

index="_internal" sourcetype="splunkd" component="DeploymentMetrics" | rename scName as serverClass fqname as install_location hostname as deploymentClient | table _time deploymentClient ip serverClass appName event status reason install_location

View solution in original post

Contributor

Ok, i found also out, that for more than one forwarder i have to create more whitelist entries.

E.g.:

This entry:

whitelist.0 = blade583.puc.ov.otto.de, blade488.puc.ov.otto.de

...is not working.

If I use this:

whitelist.0 = blade583.puc.ov.otto.de
whitelist.1 = blade488.puc.ov.otto.de

...it is working.

How can i add 80+ forwarder entries to the whitelist?

0 Karma

Contributor

I deleted the deployment app repository and recreated it manually, as well as edited the serverclass.conf manually. Now it is working!

0 Karma

Contributor

Ok...support suggested to delete the entire apps and recreate them manually. i did that...and it works now!

0 Karma

Contributor

I did that, but the inputs.conf does not get distributed. Must be something simple i am missing?

0 Karma

Contributor

thank you, i´ll give it a try.

0 Karma

Splunk Employee
Splunk Employee

ziegfried's answer is basically right. You have to define an app containing the configurations, and specify the app under the serverClass definition.

0 Karma

Influencer

you could try running the search I've added to the answer on your deployment server

0 Karma

Contributor

Even more...i found out the deployment server is creating a temp directory here:

$SPLUNK_HOME/var/run/tmp/PUC-Linux-LWF

But that is also empty.

Why is it not transmitting my inputs.conf????

0 Karma

Contributor

Ok...i found out that the deployment client is indeed creating a subdirectory here:

$SPLUNK_HOME/var/run/PUC-Linux-LWF

But the directory is empty. No sight of the inputs.conf.

0 Karma

Contributor

Not working, sorry.

0 Karma

Contributor

Could it be that it is not working, since i use the searchhead as deployment server, which is using only a splunk forwarder license?

0 Karma

Contributor

Sorry, still not working.

Maybe i have to define the targetRepositoryLocation?

Or is the problem that my target Splunkforwarder is using a different management port?

I´ll open a support ticket.

0 Karma