Solved: Re: Search Head Deployer in a SH Cluster: What hap...

phoenixdigital · ‎06-14-2016

I have been doing a few tests on how configurations are pushed when applying a shcluster bundle. However, I would like to find some definitive answers if at all possible.

On the deployer in shcluster/apps I have a Splunk app with

appname/default/props.conf
appname/default/transforms.conf
appname/default/savedsearches.conf
appname/local/props.conf
appname/local/transforms.conf
appname/local/savedsearches.conf

Now it appears when I apply the cluster bundle with

sudo -u splunk /opt/splunk/bin/splunk apply shcluster-bundle -target https://10.10.1.1:8089 -auth admin:changeme

The app gets pushed to the search head cluster members.

However, on the search heads, it appears everything in appname/local has been "merged" with appname/default. This is great and I understand the reasoning behind this because it then means that users can make changes to the apps on the SH cluster and only changes are stored in the appname/local. This means that if the apps are deployed again, they won't overwrite local users changes to the app.

First question is. Where is this deployment behavior documented? I would assume matching stanzas in local/props.conf would override the default/props.conf, but is this documented somewhere?

What happens to local really isn't covered here
http://docs.splunk.com/Documentation/Splunk/6.4.1/DistSearch/PropagateSHCconfigurationchanges

Second Question is if I want to "take a snapshot" of an app from a search head in the cluster to "update" the deployer with the most recent version is it just a matter of copying off the entire app directory?
Removing any folders like appname/default.old.20160304-103301 which appear to be backups from the last deployment. Then copy this across to the deployer as the lastest "version". I can see the documentation says you don't need to but it seems like a good idea to "track" an app as it grows.

Bonus Knowledge
I just discovered you have control over how the deployer handles lookups which is great. This is one of the reasons I have been hesitant to deploy at times.

splunk apply shcluster-bundle -target <URI>:<management_port> -preserve-lookups true -auth <username>:<password>

http://docs.splunk.com/Documentation/Splunk/6.4.1/DistSearch/HowconfrepoworksinSHC

teunlaan · ‎06-14-2016

First Answer : http://docs.splunk.com/Documentation/Splunk/6.4.1/DistSearch/PropagateSHCconfigurationchanges#App_co...
The Deployer merges Local > Default

Second Answer This is correct.
Keep in mind that again the local settings will be merged too default, but your "old locals" will stay on the SH's

View solution in original post

teunlaan · ‎06-14-2016

First Answer : http://docs.splunk.com/Documentation/Splunk/6.4.1/DistSearch/PropagateSHCconfigurationchanges#App_co...
The Deployer merges Local > Default

Second Answer This is correct.
Keep in mind that again the local settings will be merged too default, but your "old locals" will stay on the SH's

phoenixdigital · ‎06-14-2016

Thanks teunlaan. Missed that bit of the documentation. It was there right in front of my face.

Good point about the old local remnants on the clustered search heads in answer two. Probably a difficult thing to clean up apart from "un-deploying" then "re-deploying" the app. They wont have any impact if left in place obviously but it is just a bit messy. Maybe I will just stick to backing it up every now and then.

isoutamo · ‎09-26-2017

You could create app package on command line with command: splunk package app and then it tell to you where you could found and copy .spl file to transfer it to e.g. Deployer.

Search Head Deployer in a SH Cluster: What happens to local?

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?