Deployment Architecture

Search Head Deployer in a SH Cluster: What happens to local?

phoenixdigital
Builder

I have been doing a few tests on how configurations are pushed when applying a shcluster bundle. However, I would like to find some definitive answers if at all possible.

On the deployer in shcluster/apps I have a Splunk app with

  • appname/default/props.conf
  • appname/default/transforms.conf
  • appname/default/savedsearches.conf
  • appname/local/props.conf
  • appname/local/transforms.conf
  • appname/local/savedsearches.conf

Now it appears when I apply the cluster bundle with

sudo -u splunk /opt/splunk/bin/splunk apply shcluster-bundle -target https://10.10.1.1:8089 -auth admin:changeme

The app gets pushed to the search head cluster members.

However, on the search heads, it appears everything in appname/local has been "merged" with appname/default. This is great and I understand the reasoning behind this because it then means that users can make changes to the apps on the SH cluster and only changes are stored in the appname/local. This means that if the apps are deployed again, they won't overwrite local users changes to the app.

First question is. Where is this deployment behavior documented? I would assume matching stanzas in local/props.conf would override the default/props.conf, but is this documented somewhere?

What happens to local really isn't covered here
http://docs.splunk.com/Documentation/Splunk/6.4.1/DistSearch/PropagateSHCconfigurationchanges

Second Question is if I want to "take a snapshot" of an app from a search head in the cluster to "update" the deployer with the most recent version is it just a matter of copying off the entire app directory?
Removing any folders like appname/default.old.20160304-103301 which appear to be backups from the last deployment. Then copy this across to the deployer as the lastest "version". I can see the documentation says you don't need to but it seems like a good idea to "track" an app as it grows.

Bonus Knowledge
I just discovered you have control over how the deployer handles lookups which is great. This is one of the reasons I have been hesitant to deploy at times.

splunk apply shcluster-bundle -target <URI>:<management_port> -preserve-lookups true -auth <username>:<password>

http://docs.splunk.com/Documentation/Splunk/6.4.1/DistSearch/HowconfrepoworksinSHC

1 Solution

teunlaan
Contributor

First Answer : http://docs.splunk.com/Documentation/Splunk/6.4.1/DistSearch/PropagateSHCconfigurationchanges#App_co...
The Deployer merges Local > Default

Second Answer This is correct.
Keep in mind that again the local settings will be merged too default, but your "old locals" will stay on the SH's

View solution in original post

teunlaan
Contributor

First Answer : http://docs.splunk.com/Documentation/Splunk/6.4.1/DistSearch/PropagateSHCconfigurationchanges#App_co...
The Deployer merges Local > Default

Second Answer This is correct.
Keep in mind that again the local settings will be merged too default, but your "old locals" will stay on the SH's

phoenixdigital
Builder

Thanks teunlaan. Missed that bit of the documentation. It was there right in front of my face.

Good point about the old local remnants on the clustered search heads in answer two. Probably a difficult thing to clean up apart from "un-deploying" then "re-deploying" the app. They wont have any impact if left in place obviously but it is just a bit messy. Maybe I will just stick to backing it up every now and then.

0 Karma

isoutamo
SplunkTrust
SplunkTrust

You could create app package on command line with command: splunk package app and then it tell to you where you could found and copy .spl file to transfer it to e.g. Deployer.

0 Karma
Get Updates on the Splunk Community!

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...

Observability protocols to know about

Observability protocols define the specifications or formats for collecting, encoding, transporting, and ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...