Deployment Architecture

Is there a best practice for copying configurations from a deployment server (deployment apps) to search peers (master apps)?

Path Finder


I am building a clustered Splunk environment for one of our customers. The Environment is built as follows:
- cluster master
the cluster master also acts as license master, deployment server, SHC deployer, and DMC
- indexer1
acts as search peer, license slave
- indexer2
acts as search peer, license slave
- search head 1
Search head captain
- search head 2
search head member
- search head 3
search head member

Now the cluster master acts as both a deployment server and a cluster master. My question is, what is the best way to copy configuration from deployment server, ie sourcetypes and indexes to the search peers, ie in master_apps. I am thinking about using symbolic link to copy conf from deployment apps to the master apps directory OR using the deployment server to deploy the changes straight to the indexers. But I am looking for a "best practice" and I'm not sure if the symlinking could cause problems. Any suggestions on how to go about this problem?


/ Daniel


You don't need to have all your configs in _cluster, you can have multiple apps under $SPLUNK_HOME/etc/master-apps/.

There's no need to symlink anything, just drop the apps in the master apps folder

Ultra Champion

About -

-- My question is, what is the best way to copy configuration from deployment server, ie sourcetypes and indexes to the search peers, ie in master_apps

We maintain the indexes.conf on /opt/splunk/etc/master-apps/_cluster/local in the replication server and after making changes we push them via the Distribute Configuration Bundle from the UI of the replication server.

The following document says About deployment server and forwarder management

-- Do not use deployment server or forwarder management to manage configuration files across peer nodes (indexers) in an indexer cluster. Instead, use the configuration bundle method.

0 Karma

Path Finder

Thank you ddrilic for your answer.

I am however looking for a way to simplify the replications of indexes. I would like to know if there is a "easier" way of setting up indexes. Lets say that I am setting up inputs and outputs.conf on a forwarder along with an indexes.conf for that specific source/server. I would like to create all the conf necessary in the deployed app, this way I should be able to keep source specifics (indexes, sourcetypes) in one place, ie the App. This way I could set up the app, from the deployment server, use a symlink to $SPLUNK_HOME/etc/master-apps/_cluster/ and not have to worry about creating the indexes.conf file on the replication server. I want to know if someone has any experience of using this method or what problems it could lead to.

0 Karma

Ultra Champion

Makes perfect sense. It's just that this app of yours needs to reach the forwarders and the search peers and each one of them at the moment has a specific built-in solution - deployment app and the configuration bundle (the original name of an app ; - ) ) I think you are right in saying that logically both of these operations define a stream of data and therefore should be defined together. I just don't see how it can be done...

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!