Deployment Architecture
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Splunk Administration
- :
- Deployment Architecture
- :
- Serverclass.conf - Using the same app name under d...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Lucas_K
Motivator
12-09-2013
04:31 PM
I've been trying to upgrade our Splunk v5.0.4 deployment server to v6.0.
It appears that our existing serverclass is now broken under v6.0
The situation is that we have a few base configurations that are pushed out to all clients and are based on their client type. forwarders, indexers, search heads, job servers and so on. These contain such things as where the deployment server is. Where to forward internal logs (very useful for sos) etc.
We used a naming standard in which they were all called the same name. ie. "sys_conf".
They used the respositoryLocation parameter per class definition (which is a still supported configuration according to current v6.0 documentation - http://docs.splunk.com/Documentation/Splunk/6.0/Admin/Serverclassconf#serverclass.conf.example ).
So an example config.
INDEXERS - ONLY indexers should get this app.
[serverClass:sys_indexer]
filterType= blacklist
blacklist.0=*
whitelist.0=idx
restartSplunkd = true
repositoryLocation = $SPLUNK_HOME/etc/deployment-apps/sys_config/indexer/
[serverClass:sys_indexer:app:sys_conf]
FORWARDERS - ONLY forwarders should get this app.
[serverClass:sys_forwarder]
filterType= blacklist
blacklist.0=*
whitelist.0=fwder
restartSplunkd = true
repositoryLocation = $SPLUNK_HOME/etc/deployment-apps/sys_config/forwarder/
[serverClass:sys_forwarder:app:sys_conf]
Each unique repository location contains a "sys_conf" system app containing unique base configurations for that platform type.
In each clients deploymentclient.conf they have their clientName set to "idx" or "fwder". Checking splunkd.log shows they the correct endpoint is called.
However on the deployment server if we check /opt/splunk/var/run/tmp/ we will find all bundles for sys_conf.xxxxx will be identical and will only contain the contents of the very first defined repository location for a that unique app name.
A splunk btool serverclass list output shows the correct order of black listing and classes.
The issue I have is that its not just for base splunk configurations we have this for but right across various apps and TA's also!
I can verify this behaviour by picking a previously broken base app and calling the app something unique.
Has this functionality of being able to use the same app name in different classes and repository locations changed in v6.0?
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Lucas_K
Motivator
12-12-2013
08:08 PM
Support confirms this as a reproducible v6.0 issue so I will just have to wait on a fix.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Lucas_K
Motivator
12-12-2013
08:08 PM
Support confirms this as a reproducible v6.0 issue so I will just have to wait on a fix.
Get Updates on the Splunk Community!
See just what you’ve been missing | Observability tracks at Splunk University
Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...
Weezer at .conf25? Say it ain’t so!
Hello Splunkers,
The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...
How SC4S Makes Suricata Logs Ingestion Simple
Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...
