Deployment Architecture
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Update The inputs.conf on an app

Abass42
Communicator
‎03-30-2023 12:29 PM

Im a splunk admin and I got asked to update the inputs.conf file for the app pingfederate. Im a little unsure of how to do it and I figured id ask here instead of bricking our prod system. 

The request was : please modify inputs.conf for splunk agent to retrieve pingfederate log for the latest version.

 

 source: 
[monitor://E:\pingfederate-11.2.3\pingfederate\log\]
index=pingid
sourcetype=pingidsrc
disabled=false
whitelist = audit.log$|server.log$|init.log$|transaction.log$|provisioner.log$

[monitor://E:\pingfederate-11.2.3-console\pingfederate\log\]
index=pingid
sourcetype=pingidsrc
disabled=false
whitelist = audit.log$|server.log$|init.log$|transaction.log$|provisioner.log$

 

 

Im good on that part. I found the inputs.conf on our Deployement server in 4 locations, two of which were backup locations. 

We have the app's inputs.conf file under 

 

1. /export/opt/splunk/etc/deployment-apps/pingfederate/default/inputs.conf

2. /export/opt/splunk/etc/deployment-apps/pingfederate/default/inputs.conf

3. /export/opt/splunk/etc/peer-apps-backup/pingfederate/default/inputs.conf

4. etc...

 

 

Here is where i get a bit confused. I remember reading through some docs about which folder is the main one that controls the apps, and one is just there kind of like a  backup. Im pretty sure Im supposed to change the file in local, and then push that, is that correct?  If so, what exactly is the default for? Is it some sort of failsafe in case the app acts up? 

 

I saw somewhere about manager-apps or master-apps, but since im using the deployment server, it should be under deployment-apps. But all of the apps that are under deployment apps do not all appear under manage apps in the web version of splunk deployment. All of the apps that appear on the splunk deployment webpage are located in the /export/opt/splunk/etc/apps. I dont quite understand the difference here, and which directory is there for what reason. 

 

And then, after i get that inputs.conf file sorted, how do i push it? Im not pushing an app, but would i do that shcluster bundle command if im not pushing an entire app? 

SPLUNK_HOME/bin/splunk apply shcluster-bundle -target https://<any_member_SHC>:<mgmt_port> -auth admin:<password>

 I found that command, but its run through the deployer, so im assuming thats not quite correct. (We have a clustered environment with two clusters of SH and indexers, btw).

 

Ive gotten a bit lost in the sauce reading all of the docs and they are all blending together. Id appreciate any input. Thank you for any help. 

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎03-30-2023 02:05 PM

Maybe I need new glasses but files 1 and 2 look identical to me.

Make your changes to the app in the app's local directory.  That is, $SPLUNK_HOME/etc/deployment-apps/pingfederate/local.  The DS will merge the local and default settings before sending the app to clients.

The apply shcluster-bundle command is for sending apps to a search head cluster (SHC).  The DS does not push apps to clients - clients pull apps from the DS.

The manager-apps and master-apps directories hold apps that will be sent to indexers by the Cluster Manager (often the same instance as the DS).  Indexers do not need inputs.conf so you can ignore this directory for now.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎03-30-2023 02:05 PM

Maybe I need new glasses but files 1 and 2 look identical to me.

Make your changes to the app in the app's local directory.  That is, $SPLUNK_HOME/etc/deployment-apps/pingfederate/local.  The DS will merge the local and default settings before sending the app to clients.

The apply shcluster-bundle command is for sending apps to a search head cluster (SHC).  The DS does not push apps to clients - clients pull apps from the DS.

The manager-apps and master-apps directories hold apps that will be sent to indexers by the Cluster Manager (often the same instance as the DS).  Indexers do not need inputs.conf so you can ignore this directory for now.

---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

Abass42
Communicator
‎03-30-2023 02:08 PM

So do i need to push anything? Does the Deployment server just auto update any new changes and then automatically push and replicate the inputs.conf across all Search heads? If so , thats nice. 

Thank you for the response 🙂

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎03-30-2023 05:20 PM

No need to do anything once the app is modified.  Assuming, that is, that the "Restart splunkd" option is set for the app in the DS.  Otherwise, you have to restart each forwarder so they read the new inputs.conf.

---
If this reply helps you, Karma would be appreciated.
Reply
Get Updates on the Splunk Community!

Uncovering Multi-Account Fraud with Splunk Banking Analytics

Last month, I met with a Senior Fraud Analyst at a nationally recognized bank to discuss their recent success ...

Secure Your Future: A Deep Dive into the Compliance and Security Enhancements for the ...

What has been announced?  In the blog, “Preparing your Splunk Environment for OpensSSL3,”we announced the ...

New This Month in Splunk Observability Cloud - Synthetic Monitoring updates, UI ...

This month, we’re delivering several platform, infrastructure, application and digital experience monitoring ...
Top