Deployment Architecture

Is there a centralized way to deploy configuration files?

avalle
Path Finder

Hello All,
I have not found this answer yet. I am in the process of configuring and testing a deployment server. My environment is completely deployed but I want to have a central place to update all of my conf files. I see a lot of documentation about deploying apps but none about updating the conf file. Does anyone know or have documentation on the steps to deploy conf files?

0 Karma
1 Solution

triest
Communicator

When you deploy configuration files, you do it within the context of an app. You can think of an app as basically a "configuration bundle" if that helps wrap your mind around how this is working. An app can include executable code, but the vast majority of ours hold only configuration files.

I'm not sure how you are used to configuring Splunk; have you been editing files in $SPLUNK_HOME/etc/system/local?

The most common types of configuration files to deploy in an application would probably by props, transforms, and inputs, but you aren't limited to only those configuration files.

If you're not sure, create an app in $SPLUNK_HOME/etc/apps, put the configuration file in either the default or local sub-directory and then run $SPLUNK_HOME/bin/splunk btool FILE list where FILE is the name of the configuration file without the .conf suffix. That will get you a merged view of the configuration files; basically that's what Splunk would be using if you restarted it. If you see your setting, then you know the configuration file is being read and you can build your confidence that using an app to hold your configuration files really is going to do what you want.

View solution in original post

triest
Communicator

When you deploy configuration files, you do it within the context of an app. You can think of an app as basically a "configuration bundle" if that helps wrap your mind around how this is working. An app can include executable code, but the vast majority of ours hold only configuration files.

I'm not sure how you are used to configuring Splunk; have you been editing files in $SPLUNK_HOME/etc/system/local?

The most common types of configuration files to deploy in an application would probably by props, transforms, and inputs, but you aren't limited to only those configuration files.

If you're not sure, create an app in $SPLUNK_HOME/etc/apps, put the configuration file in either the default or local sub-directory and then run $SPLUNK_HOME/bin/splunk btool FILE list where FILE is the name of the configuration file without the .conf suffix. That will get you a merged view of the configuration files; basically that's what Splunk would be using if you restarted it. If you see your setting, then you know the configuration file is being read and you can build your confidence that using an app to hold your configuration files really is going to do what you want.

frmaasdam
Path Finder

When you create an app named app1 and an app named app2 both with for example an props.conf they will after deployment to the FW resides in:
~/etc/apps/app1/local/props.conf and
~/etc/apps/app2/local/props.conf
The working props.conf of the FW will be a merged running file of all the props.conf files on the system including those in the app1 and app2 directory.
There is no need to place them in ~/etc/system/local

avalle
Path Finder

@frmaasdam may have a better answer than me or @triest since they both answered my question

0 Karma

avalle
Path Finder

Thank you! Splunk was already deployed before I took the position and they used another app to send the conf files toall of the devices and now it is my job to manage them.
I've never created an app before, is there a default app that I can use to put the conf files in?

0 Karma

mhsears418
New Member

question...after creating your own app as mentioned above; placing the updated config files you want to push to your forwarders and then pushing to them how will the updated config files get into the proper directory on the forwarders ie etc/system/local?

0 Karma

frmaasdam
Path Finder

You can ofcourse place your config files in an self created app with any name like configapp.
This is how I deploy my inputs, outputs, props, transforms etc.

0 Karma
Get Updates on the Splunk Community!

What's New in Splunk Enterprise 9.4: Features to Power Your Digital Resilience

Hey Splunky People! We are excited to share the latest updates in Splunk Enterprise 9.4. In this release we ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

SignalFlow: What? Why? How?

What is SignalFlow? Splunk Observability Cloud’s analytics engine, SignalFlow, opens up a world of in-depth ...