Deployment Architecture
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Replicating/Copying files within Splunk SH Cluster members

ramesh_babu71
Path Finder
‎01-22-2018 01:53 AM

Hello,

We require your help implementing a part of solution for an app deployed in our Splunk SH cluster. The app is pushed to all the SH members using a deployer.

The App contains a script which downloads IoCs and deposits in the location “$SPLUNK_HOME/etc/apps/app_name/appserver/static“ so that our other Security solutions can access it via HTTP(S). The App is designed to download only in SH captain. This part works very well.

However we need a logic to copy/replicate the IOC files in /app_name/appserver/static (in captain) to other member servers too. The files in this location are CSV and JSON. Our goal is to access these files from remote location via web, If these files are kept updated in all peers then we can access it from any member server irrespective of which one is the actual captain node. Is there a way we can achieve this using Splunk only? We know this can be done using scp/share folder but client wants to do this within Splunk. Any help is appreciated.

0 Karma
Reply

nickhills
Ultra Champion
‎01-22-2018 02:06 AM

Are lookups not automatically synced between SH members? - Could you create you file in ./lookups?
http://docs.splunk.com/Documentation/Splunk/7.0.1/DistSearch/HowconfigurationworksinSHC

I think the fact that you are using app/static will prevent the run time replication - if you can move it to lookups, I think Splunk will handle it for you.

If my comment helps, please give it a thumbs up!
0 Karma
Reply

ramesh_babu71
Path Finder
‎01-22-2018 05:51 AM

Hi Nick,

We are keeping the files in the static folder so that these can accessed via http.

In our other security solutions we can just point the IOC location as http://splunkserver:8000/static/app/ app_name/IOCfilename.csv

If we move the files to lookups folder then we loose this facility.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...