Deployment Architecture

Is there a best practice for copying configurations from a deployment server (deployment apps) to search peers (master apps)?

YoungDaniel
Path Finder

Hi,

I am building a clustered Splunk environment for one of our customers. The Environment is built as follows:
- cluster master
the cluster master also acts as license master, deployment server, SHC deployer, and DMC
- indexer1
acts as search peer, license slave
- indexer2
acts as search peer, license slave
- search head 1
Search head captain
- search head 2
search head member
- search head 3
search head member

Now the cluster master acts as both a deployment server and a cluster master. My question is, what is the best way to copy configuration from deployment server, ie sourcetypes and indexes to the search peers, ie in master_apps. I am thinking about using symbolic link to copy conf from deployment apps to the master apps directory OR using the deployment server to deploy the changes straight to the indexers. But I am looking for a "best practice" and I'm not sure if the symlinking could cause problems. Any suggestions on how to go about this problem?

Thanks!

/ Daniel

jplumsdaine22
Influencer

You don't need to have all your configs in _cluster, you can have multiple apps under $SPLUNK_HOME/etc/master-apps/.

There's no need to symlink anything, just drop the apps in the master apps folder

ddrillic
Ultra Champion

About -

-- My question is, what is the best way to copy configuration from deployment server, ie sourcetypes and indexes to the search peers, ie in master_apps

We maintain the indexes.conf on /opt/splunk/etc/master-apps/_cluster/local in the replication server and after making changes we push them via the Distribute Configuration Bundle from the UI of the replication server.

The following document says About deployment server and forwarder management

-- Do not use deployment server or forwarder management to manage configuration files across peer nodes (indexers) in an indexer cluster. Instead, use the configuration bundle method.

0 Karma

YoungDaniel
Path Finder

Thank you ddrilic for your answer.

I am however looking for a way to simplify the replications of indexes. I would like to know if there is a "easier" way of setting up indexes. Lets say that I am setting up inputs and outputs.conf on a forwarder along with an indexes.conf for that specific source/server. I would like to create all the conf necessary in the deployed app, this way I should be able to keep source specifics (indexes, sourcetypes) in one place, ie the App. This way I could set up the app, from the deployment server, use a symlink to $SPLUNK_HOME/etc/master-apps/_cluster/ and not have to worry about creating the indexes.conf file on the replication server. I want to know if someone has any experience of using this method or what problems it could lead to.

0 Karma

ddrillic
Ultra Champion

Makes perfect sense. It's just that this app of yours needs to reach the forwarders and the search peers and each one of them at the moment has a specific built-in solution - deployment app and the configuration bundle (the original name of an app ; - ) ) I think you are right in saying that logically both of these operations define a stream of data and therefore should be defined together. I just don't see how it can be done...

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...