Hi,
I am building a clustered Splunk environment for one of our customers. The Environment is built as follows:
- cluster master
the cluster master also acts as license master, deployment server, SHC deployer, and DMC
- indexer1
acts as search peer, license slave
- indexer2
acts as search peer, license slave
- search head 1
Search head captain
- search head 2
search head member
- search head 3
search head member
Now the cluster master acts as both a deployment server and a cluster master. My question is, what is the best way to copy configuration from deployment server, ie sourcetypes and indexes to the search peers, ie in master_apps. I am thinking about using symbolic link to copy conf from deployment apps to the master apps directory OR using the deployment server to deploy the changes straight to the indexers. But I am looking for a "best practice" and I'm not sure if the symlinking could cause problems. Any suggestions on how to go about this problem?
Thanks!
/ Daniel
You don't need to have all your configs in _cluster, you can have multiple apps under $SPLUNK_HOME/etc/master-apps/.
There's no need to symlink anything, just drop the apps in the master apps folder
About -
-- My question is, what is the best way to copy configuration from deployment server, ie sourcetypes and indexes to the search peers, ie in master_apps
We maintain the indexes.conf
on /opt/splunk/etc/master-apps/_cluster/local
in the replication server and after making changes we push them via the Distribute Configuration Bundle
from the UI of the replication server.
The following document says About deployment server and forwarder management
-- Do not use deployment server or forwarder management to manage configuration files across peer nodes (indexers) in an indexer cluster. Instead, use the configuration bundle method.
Thank you ddrilic for your answer.
I am however looking for a way to simplify the replications of indexes. I would like to know if there is a "easier" way of setting up indexes. Lets say that I am setting up inputs and outputs.conf on a forwarder along with an indexes.conf for that specific source/server. I would like to create all the conf necessary in the deployed app, this way I should be able to keep source specifics (indexes, sourcetypes) in one place, ie the App. This way I could set up the app, from the deployment server, use a symlink to $SPLUNK_HOME/etc/master-apps/_cluster/
and not have to worry about creating the indexes.conf file on the replication server. I want to know if someone has any experience of using this method or what problems it could lead to.
Makes perfect sense. It's just that this app of yours needs to reach the forwarders and the search peers and each one of them at the moment has a specific built-in solution - deployment app and the configuration bundle (the original name of an app ; - ) ) I think you are right in saying that logically both of these operations define a stream of data and therefore should be defined together. I just don't see how it can be done...