Deployment Architecture

Is it possible to use etc\system\local to configure a backup deployment server?


I have a Splunk environment that is simple enough to be managed by a single deployment server. Currently, when installing a forwarder, we script in the creation of two deploymentclient.conf files. One file is in etc\system\local and identifies the clientName. The second deploymentclient.conf file is in etc\app\OurDeploymentApp and defines the targetUri to point to our deployment server.

The system comes up, uses the two deploymentclient.conf files to reach out to the deployment server and identify itself. The deployment server does its thing... and pushes the appropriate deployment apps to the system.

One of the deployment apps that is pulled down is "OurDeploymentApp" which contains a the same deploymentclient.conf file defining the targetUri. This allows us to move our deployment server if needed by updating just the deployment app.

I know the conf priority is higher for apps. Is it possible to put a back up targetUri setting in etc/system/local in case something happens to the deployment app file? This will have no impact in a "standard" situation of both files being present, but add a layer of redundancy if the app version of file were removed.

Is there a problem with two files specifically defining deploymentclient.conf's targetUri?


0 Karma


You could also use /etc/system/default/deploymentclient.conf as the scripted config that would then allow your client to connect and download /etc/apps/A/local/deploymentclient.conf from the deployment server which would then take precedence, leaving the config in /etc/system/default that would serve as your backup.

0 Karma

Revered Legend

The configuration files at location $SPLUNK_HOME/etc/system/local will have higher precedence than $SPLUNK_HOME/etc/apps, so if you keep a "backup/default" deploymentclient.conf with targetUri, that will always take precedence and you're mechanism to update deployment server by pushing app will not work. See this link for details on Splunk configuration file precedence.

So, This is the precedence of the app/configuration in Splunk (for Global context files such as your deploymentclient.conf)

$SPLUNK_HOME/etc/apps/A/local/* ... $SPLUNK_HOME/etc/apps/z/local/*    
$SPLUNK_HOME/etc/apps/A/default/* ... $SPLUNK_HOME/etc/apps/z/default/*    

So if you want set a default deploymentclient.conf with a default value of targetUri (so it can connect to one deployment server at least which can be overridden if required), I would suggest create an app in location $SPLUNK_HOME/etc/apps with app name starting with letter z (small case z) and keep it in default directory (e.g. $SPLUNK_HOME/etc/apps/z_systemdefault/default/deploymentclients.conf). The app that you're pushing should have app name other than small case z and it will be able to override the default setting.

0 Karma
Get Updates on the Splunk Community!

Set Up More Secure Configurations in Splunk Enterprise With Config Assist

This blog post is part 3 of 4 of a series on Splunk Assist. Click the links below to see the other ...

Observability Highlights | November 2022 Newsletter

 November 2022Observability CloudEnd Of Support Extension for SignalFx Smart AgentSplunk is extending the End ...

Enterprise Security Content Update (ESCU) v3.54.0

The Splunk Threat Research Team (STRT) recently released Enterprise Security Content Update (ESCU) v3.54.0 and ...