Hello Splunkers.
I would like to ask for some advice from you, as we are planning to replace a lot of rsync scripts that we use to distribute apps to all of our deployment servers.
We have an architecture of 5 different tenants, that are pretty much completly isolated from eachothers. Because of that, we have one deployment server in each tenant. To centrally manage all this tenants, we have one "master" server, where we keep all our splunk configuration (apps, serverclasses etc.), and uses scripts based on rsync to push them out to the other deployment servers.
I have an impression of that using tools like ansible or puppet etc. has become the "industry standard" of the way of handling such big Splunk multi-tenant enviroments. Found this presentation from CONF19, held by Splunk themself, that shows how to utilize ansible to achieve this: FN2048.pdf (splunk.com)
As of what i understand, the alternative to using an 3rd party tools (ie. ansible) for this, would be to use a "Master/Slave" configuration for the deployment servers, having the master deployment server to push apps to "/opt/splunk/etc/deployment-apps/" to other slave deployment servers with such config:
[serverClass:secondaryDeploymentServersDeploymentApps]
targetRepositoryLocation = $SPLUNK_HOME/etc/deployment-apps
(source: https://community.splunk.com/t5/Deployment-Architecture/How-to-set-up-Multiple-Deployment-Servers-Co...
We want to get rid of all theese scripts for syncing indexers, standalone search heads, search head clusters and UF's, so we are trying to find the best way.
My question is, is there any advantages or disadvantages with theese two models?
The "splunk only" method of doing this, doesnt seem to be nearly as popular using ansible?
In advance, a bit thank you for any advice 🙂
