I've been trying to upgrade our Splunk v5.0.4 deployment server to v6.0.
It appears that our existing serverclass is now broken under v6.0
The situation is that we have a few base configurations that are pushed out to all clients and are based on their client type. forwarders, indexers, search heads, job servers and so on. These contain such things as where the deployment server is. Where to forward internal logs (very useful for sos) etc.
We used a naming standard in which they were all called the same name. ie. "sys_conf".
They used the respositoryLocation parameter per class definition (which is a still supported configuration according to current v6.0 documentation - http://docs.splunk.com/Documentation/Splunk/6.0/Admin/Serverclassconf#serverclass.conf.example ).
So an example config.
INDEXERS - ONLY indexers should get this app.
[serverClass:sys_indexer]
filterType= blacklist
blacklist.0=*
whitelist.0=idx
restartSplunkd = true
repositoryLocation = $SPLUNK_HOME/etc/deployment-apps/sys_config/indexer/
[serverClass:sys_indexer:app:sys_conf]
FORWARDERS - ONLY forwarders should get this app.
[serverClass:sys_forwarder]
filterType= blacklist
blacklist.0=*
whitelist.0=fwder
restartSplunkd = true
repositoryLocation = $SPLUNK_HOME/etc/deployment-apps/sys_config/forwarder/
[serverClass:sys_forwarder:app:sys_conf]
Each unique repository location contains a "sys_conf" system app containing unique base configurations for that platform type.
In each clients deploymentclient.conf they have their clientName set to "idx" or "fwder". Checking splunkd.log shows they the correct endpoint is called.
However on the deployment server if we check /opt/splunk/var/run/tmp/ we will find all bundles for sys_conf.xxxxx will be identical and will only contain the contents of the very first defined repository location for a that unique app name.
A splunk btool serverclass list output shows the correct order of black listing and classes.
The issue I have is that its not just for base splunk configurations we have this for but right across various apps and TA's also!
I can verify this behaviour by picking a previously broken base app and calling the app something unique.
Has this functionality of being able to use the same app name in different classes and repository locations changed in v6.0?
Support confirms this as a reproducible v6.0 issue so I will just have to wait on a fix.
Support confirms this as a reproducible v6.0 issue so I will just have to wait on a fix.