Deployment Architecture

Update The inputs.conf on an app

Abass42
Path Finder

Im a splunk admin and I got asked to update the inputs.conf file for the app pingfederate. Im a little unsure of how to do it and I figured id ask here instead of bricking our prod system. 

The request was : please modify inputs.conf for splunk agent to retrieve pingfederate log for the latest version.

 

 source: 
[monitor://E:\pingfederate-11.2.3\pingfederate\log\]
index=pingid
sourcetype=pingidsrc
disabled=false
whitelist = audit.log$|server.log$|init.log$|transaction.log$|provisioner.log$

[monitor://E:\pingfederate-11.2.3-console\pingfederate\log\]
index=pingid
sourcetype=pingidsrc
disabled=false
whitelist = audit.log$|server.log$|init.log$|transaction.log$|provisioner.log$

 

 

Im good on that part. I found the inputs.conf on our Deployement server in 4 locations, two of which were backup locations. 

We have the app's inputs.conf file under 

 

1. /export/opt/splunk/etc/deployment-apps/pingfederate/default/inputs.conf

2. /export/opt/splunk/etc/deployment-apps/pingfederate/default/inputs.conf

3. /export/opt/splunk/etc/peer-apps-backup/pingfederate/default/inputs.conf

4. etc...

 

 

Here is where i get a bit confused. I remember reading through some docs about which folder is the main one that controls the apps, and one is just there kind of like a  backup. Im pretty sure Im supposed to change the file in local, and then push that, is that correct?  If so, what exactly is the default for? Is it some sort of failsafe in case the app acts up? 

 

I saw somewhere about manager-apps or master-apps, but since im using the deployment server, it should be under deployment-apps. But all of the apps that are under deployment apps do not all appear under manage apps in the web version of splunk deployment. All of the apps that appear on the splunk deployment webpage are located in the /export/opt/splunk/etc/apps. I dont quite understand the difference here, and which directory is there for what reason. 

 

And then, after i get that inputs.conf file sorted, how do i push it? Im not pushing an app, but would i do that shcluster bundle command if im not pushing an entire app? 

SPLUNK_HOME/bin/splunk apply shcluster-bundle -target https://<any_member_SHC>:<mgmt_port> -auth admin:<password>

 I found that command, but its run through the deployer, so im assuming thats not quite correct. (We have a clustered environment with two clusters of SH and indexers, btw).

 

Ive gotten a bit lost in the sauce reading all of the docs and they are all blending together. Id appreciate any input. Thank you for any help. 

Labels (1)
0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

Maybe I need new glasses but files 1 and 2 look identical to me.

Make your changes to the app in the app's local directory.  That is, $SPLUNK_HOME/etc/deployment-apps/pingfederate/local.  The DS will merge the local and default settings before sending the app to clients.

The apply shcluster-bundle command is for sending apps to a search head cluster (SHC).  The DS does not push apps to clients - clients pull apps from the DS.

The manager-apps and master-apps directories hold apps that will be sent to indexers by the Cluster Manager (often the same instance as the DS).  Indexers do not need inputs.conf so you can ignore this directory for now.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway
SplunkTrust
SplunkTrust

Maybe I need new glasses but files 1 and 2 look identical to me.

Make your changes to the app in the app's local directory.  That is, $SPLUNK_HOME/etc/deployment-apps/pingfederate/local.  The DS will merge the local and default settings before sending the app to clients.

The apply shcluster-bundle command is for sending apps to a search head cluster (SHC).  The DS does not push apps to clients - clients pull apps from the DS.

The manager-apps and master-apps directories hold apps that will be sent to indexers by the Cluster Manager (often the same instance as the DS).  Indexers do not need inputs.conf so you can ignore this directory for now.

---
If this reply helps you, Karma would be appreciated.

Abass42
Path Finder

So do i need to push anything? Does the Deployment server just auto update any new changes and then automatically push and replicate the inputs.conf across all Search heads? If so , thats nice. 

Thank you for the response 🙂

0 Karma

richgalloway
SplunkTrust
SplunkTrust

No need to do anything once the app is modified.  Assuming, that is, that the "Restart splunkd" option is set for the app in the DS.  Otherwise, you have to restart each forwarder so they read the new inputs.conf.

---
If this reply helps you, Karma would be appreciated.
Get Updates on the Splunk Community!

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

&#x1f342; Fall into November with a fresh lineup of Community Office Hours, Tech Talks, and Webinars we’ve ...

Transform your security operations with Splunk Enterprise Security

Hi Splunk Community, Splunk Platform has set a great foundation for your security operations. With the ...

Splunk Admins and App Developers | Earn a $35 gift card!

Splunk, in collaboration with ESG (Enterprise Strategy Group) by TechTarget, is excited to announce a ...