Deployment Architecture

Splunk Indexer Cluster not identifying new bundle ID when trying to deploy new config to Indexers

jwray97
Explorer

Hi,

I am trying to deploy a new index to my indexer cluster via the Cluster Master and have followed the usual documentation on how to deploy via the Master-Apps Folder. I have done this before and it has worked no problem but this time I have no idea why it is not working. 

When I make the change to indexes.conf and run the command "splunk validate cluster-bundle" it gives me no errors and then brings me back to my CLI so I would presume it has validated it. Then I run the command "splunk show cluster-bundle-status" to check the bundle ID's they are still the same ID's on the active bundle and the latest bundle. Its as if Splunk is not recognising that a change has been made to the bundle and therefore cannot deploy it down to the indexers.

jwray97_1-1708438780558.png

 

I ran the command "splunk apply cluster-bundle" and it gave me the below error. However when I checked the Splunkd.log on the CM and the Indexers there was no indication of a validation error, or any error for that case.

jwray97_0-1708438637833.png

Is there anything that I am missing here? Just cant work out why it is not recognising a change has been made to update the Bundle IDs to be pushed down. 

Thanks

 

Labels (1)
Tags (1)
0 Karma
1 Solution

jwray97
Explorer

Thanks however I worked out what was causing the issue. There was another app which was supposed to be deployed to the Search Head Custer but mistakenly it was deployed to the Indexer Cluster. After I removed this app from the Master Apps Folder I redeployed the new one and it successfully validated and pushed down to the Indexer nodes.

View solution in original post

0 Karma

jwray97
Explorer

Thanks however I worked out what was causing the issue. There was another app which was supposed to be deployed to the Search Head Custer but mistakenly it was deployed to the Indexer Cluster. After I removed this app from the Master Apps Folder I redeployed the new one and it successfully validated and pushed down to the Indexer nodes.

0 Karma

etoombs
Path Finder

Without knowing about your changes, it's hard to say what's happening. If you manually created or changed any .conf files though, I would check ownership and make sure they are owned by the splunk user. I've seen bundle validations fail when something doesn't have proper ownership.

 

0 Karma
Get Updates on the Splunk Community!

New This Month in Splunk Observability Cloud - Metrics Usage Analytics, Enhanced K8s ...

The latest enhancements across the Splunk Observability portfolio deliver greater flexibility, better data and ...

Alerting Best Practices: How to Create Good Detectors

At their best, detectors and the alerts they trigger notify teams when applications aren’t performing as ...

Discover Powerful New Features in Splunk Cloud Platform: Enhanced Analytics, ...

Hey Splunky people! We are excited to share the latest updates in Splunk Cloud Platform 9.3.2408. In this ...