Deployment Architecture

What are recommendations for app creation and deployment in an environment with distributed search and indexer clustering?

jbouch03
Path Finder

Hi,

We just recently redeployed our Splunk implementation with a indexer clustering and distributed search heads, and want to recreate our core Splunk application from the ground up. Indexer clustering and distributed search heads are still pretty new to us, so I was wondering if anyone had any tips for app creation on a clustered instance.

Our primary question is this:
Do we start the app creation in the cluster master? And if so as we make changes to the application do we just push the bundle down to the indexers, or do we have to create our app on each indexer and cluster master until we have finished the app, then deploy it through the cluster master?

Our app will need to meet the following constraints:
Its own index
Its own props.conf and transforms.conf
Access to other indexers
Ability to be searched through the primary search head and not just from the indexers
Use the Splunk web framework with Django bindings

Any assistance provided would be greatly appreciated. Thank you in advance.

1 Solution

emiller42
Motivator

Create it outside of your cluster entirely. Set up a dev instance where you can get it ready for deployment. Once everything is good, put it on the index cluster master (etc/master-apps/) and deploy it to the cluster from there. Same with the search head cluster. Deploy it on the deployer (etc/shcluster/apps/) and then deploy from there. Use that pattern to push changes and updates.

EDIT: Since you mention web frameworks in your tags: I recommend a separate app bundle for indexers which only contains what they need to index data. Indexes, props, and transforms. (Basically, a TA to follow established app nomenclature) There's no need to push anything affecting the UI or any search-time configurations to the indexing layer.

View solution in original post

emiller42
Motivator

Create it outside of your cluster entirely. Set up a dev instance where you can get it ready for deployment. Once everything is good, put it on the index cluster master (etc/master-apps/) and deploy it to the cluster from there. Same with the search head cluster. Deploy it on the deployer (etc/shcluster/apps/) and then deploy from there. Use that pattern to push changes and updates.

EDIT: Since you mention web frameworks in your tags: I recommend a separate app bundle for indexers which only contains what they need to index data. Indexes, props, and transforms. (Basically, a TA to follow established app nomenclature) There's no need to push anything affecting the UI or any search-time configurations to the indexing layer.

jbouch03
Path Finder

So if I'm reading this right, it's best to create the app on a non clustered dev Splunk implementation, then once its mostly complete, move it to the production clustered environment? Then just package app updates? I was really hoping we can do it in production. We are required to use Redhat Enterprise and we already burned up all our licenses moving from 1 server to 6. It's not a big deal, but that means we have to purchase another license.

0 Karma

jbouch03
Path Finder

That's a really good point. We already have a TA in the works for the app.

0 Karma

emiller42
Motivator

You can just run Splunk locally on your workstation. (Set up a Centos VM if you want to stay on Linux)

The nasty thing is that, while you can have your UI app just be developed on your cluster deployer (in etc/apps/) you're going to need to distribute the indexer configs from the outset via the cluster master.

Since your Indexers just need index-time configs though, you can focus on those first, get them deployed, and then focus on the SH app. Develop on the cluster deployer in etc/apps/, then when ready, copy the folder to etc/shcluster/apps/ and push to the cluster.

0 Karma

jbouch03
Path Finder

This has been great information. Thanks for all your help. I really appreciate it.

0 Karma
Get Updates on the Splunk Community!

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...

Cloud Platform & Enterprise: Classic Dashboard Export Feature Deprecation

As of Splunk Cloud Platform 9.3.2408 and Splunk Enterprise 9.4, classic dashboard export features are now ...