Deployment Architecture

Understanding the hierarchy of configuration files.

Luis_Torres
Loves-to-Learn Lots

Good afternoon, I'm a regular reader, but this is my first time writing, so I'll introduce myself. I'm Luis and work with Splunk. The searches, alerts and that kind of things do not give me problems and usually everything works out fine. Although there are things that are very confusing to me. When I started with only one instance in my PC to learn, everything was wonderful. However, with my client's Splunk, things change because it is multi-instance.

We have 1 Search Head, 1 Deployment Server-Master Cluster, 1 UF, 1 HF and a cluster with two indexers.

My doubt comes for the following reason: What would be the right way to deploy an app or a configuration? Since we have so many instances and the files are duplicated and tripled in some cases, it seems to me a mess to know which one commands over others, which tasks to do in the graphical environment, which ones through configuration files, when to restart or not... To top it all, now I fail to apply the bundle actions after trying to deploy an application that reads from an API.

Would someone please explain the hierarchy to me so I can understand which files "command" over others? How could I solve the problem of bundle actions if the results don't describe what happens? Should I copy by hand each of the files and replicate them in the other instances? In which cases? For a custom app to work properly, do I need to copy it to the Search Head, HF and DS-MC?

Excuse the pile of questions but I have already tried by my own means and I can't understand it.

Thank you very much.

 

0 Karma

anilchaithu
Builder

@Luis_Torres 

It depends on the distribution architecture. Are you deploying apps/add-ons to serach head & indexer using a deployment server?

As I mentioned it depends on the type of distribution. So I will provide the end points where these apps & add-ons to be placed

 

Apps (views etc) - search head

add-on (parsing & field extractions) - search head (for search time field extractions)

add-on (parsing & field extractions) - Indexer (for search time field extractions)

add-on (parsing & field extractions) - HF (If the data is routed through HF)

 

 

Scenario 1: If you are not using deployment server to distribute the app/add-on

You need to copy the relevant app/add-on to $SPLUNK_HOME/etc/apps/ on SH/indexer/HF

 

Scenario 2: If you are using deployment server to distribute the app/add-on to SH/HF etc

You need to copy the all apps/add-ons to $SPLUNK_HOME/etc/deployment-apps/ on HF. Then you should create server classes (based on the end point) and add clients. then you can deploy.

 

Hope this helps

 

0 Karma

Luis_Torres
Loves-to-Learn Lots

Yeah. I'm trying. Make the deployment from the deployment server. The deployment server is in the same instance as the master cluster and we use the HF in another exclusive instance. What happens is that the bundle action does not accept me because I must have some bad configuration.

Thanks for the answer.

0 Karma
Get Updates on the Splunk Community!

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Deprecation of Splunk Observability Kubernetes “Classic Navigator” UI starting ...

Access to Splunk Observability Kubernetes “Classic Navigator” UI will no longer be available starting January ...

Now Available: Cisco Talos Threat Intelligence Integrations for Splunk Security Cloud ...

At .conf24, we shared that we were in the process of integrating Cisco Talos threat intelligence into Splunk ...