Deployment Architecture

Is there a centralized way to deploy configuration files?

avalle
Path Finder

Hello All,
I have not found this answer yet. I am in the process of configuring and testing a deployment server. My environment is completely deployed but I want to have a central place to update all of my conf files. I see a lot of documentation about deploying apps but none about updating the conf file. Does anyone know or have documentation on the steps to deploy conf files?

0 Karma
1 Solution

triest
Communicator

When you deploy configuration files, you do it within the context of an app. You can think of an app as basically a "configuration bundle" if that helps wrap your mind around how this is working. An app can include executable code, but the vast majority of ours hold only configuration files.

I'm not sure how you are used to configuring Splunk; have you been editing files in $SPLUNK_HOME/etc/system/local?

The most common types of configuration files to deploy in an application would probably by props, transforms, and inputs, but you aren't limited to only those configuration files.

If you're not sure, create an app in $SPLUNK_HOME/etc/apps, put the configuration file in either the default or local sub-directory and then run $SPLUNK_HOME/bin/splunk btool FILE list where FILE is the name of the configuration file without the .conf suffix. That will get you a merged view of the configuration files; basically that's what Splunk would be using if you restarted it. If you see your setting, then you know the configuration file is being read and you can build your confidence that using an app to hold your configuration files really is going to do what you want.

View solution in original post

triest
Communicator

When you deploy configuration files, you do it within the context of an app. You can think of an app as basically a "configuration bundle" if that helps wrap your mind around how this is working. An app can include executable code, but the vast majority of ours hold only configuration files.

I'm not sure how you are used to configuring Splunk; have you been editing files in $SPLUNK_HOME/etc/system/local?

The most common types of configuration files to deploy in an application would probably by props, transforms, and inputs, but you aren't limited to only those configuration files.

If you're not sure, create an app in $SPLUNK_HOME/etc/apps, put the configuration file in either the default or local sub-directory and then run $SPLUNK_HOME/bin/splunk btool FILE list where FILE is the name of the configuration file without the .conf suffix. That will get you a merged view of the configuration files; basically that's what Splunk would be using if you restarted it. If you see your setting, then you know the configuration file is being read and you can build your confidence that using an app to hold your configuration files really is going to do what you want.

frmaasdam
Path Finder

When you create an app named app1 and an app named app2 both with for example an props.conf they will after deployment to the FW resides in:
~/etc/apps/app1/local/props.conf and
~/etc/apps/app2/local/props.conf
The working props.conf of the FW will be a merged running file of all the props.conf files on the system including those in the app1 and app2 directory.
There is no need to place them in ~/etc/system/local

avalle
Path Finder

@frmaasdam may have a better answer than me or @triest since they both answered my question

0 Karma

avalle
Path Finder

Thank you! Splunk was already deployed before I took the position and they used another app to send the conf files toall of the devices and now it is my job to manage them.
I've never created an app before, is there a default app that I can use to put the conf files in?

0 Karma

mhsears418
New Member

question...after creating your own app as mentioned above; placing the updated config files you want to push to your forwarders and then pushing to them how will the updated config files get into the proper directory on the forwarders ie etc/system/local?

0 Karma

frmaasdam
Path Finder

You can ofcourse place your config files in an self created app with any name like configapp.
This is how I deploy my inputs, outputs, props, transforms etc.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...