Deployment Architecture

What configuration setting will allow the cluster master to regularly apply cluster bundles to peers?

arunraoExp
New Member

Hello,

I am looking for Splunk configuration setting that allows cluster master to push cluster bundles (asynchronously) to peers.

Currently, I have apps folder syncing from git to Deployment server every 15 mins and then propogated to Clustermaster (etc/master-apps). Then, I have to splunk apply cluster-bundle everytime I had to push to Indexers (peers). There is the possibility of peers restarting if certain configurations are updated in indexes.conf, but that is very rare in my setup.

Anyone know of a splunk CM setting that applies cluster bundles whenever there is a change detected.

Thanks!

0 Karma

esix_splunk
Splunk Employee
Splunk Employee

There is no mechanism to do this automatically. Changes to the CM's master-apps should be infrequent.

You could apply the changes in the folder, via copy or sync, and then hit a rest endpoint to apply the bundle as part of your script...

 curl -k -u admin:changeme https://localhost:8089/services/cluster/master/control/control/apply -d skip-validation=true -X POST

This seems to work, even though undocumented...

See here : https://answers.splunk.com/answers/146998/is-there-a-way-to-distribute-cluster-bundle-through-rest-a...

0 Karma

adonio
Ultra Champion

first i will say that i am not aware of such a configuration and would love to know if exist however, it seems like something that is pretty straightforward to script. with that being said, what is the drive behind that need?
I find the CM changes to indexers even in very active environment does not happen very often,. i also find teh CM mechanism of detecting bad configurations and warning about them very helpful and not something i would like to bypass. (although if you script it, you can tell it to let you know if that flag is raised)
hope it helps a little

0 Karma

arunraoExp
New Member

Thanks adonio for your reply. Yes, Indexer apps does not change very often, but i wanted to know if there is a straightforward way of doing it. I already have "sync_bundle_replication" set to auto as per defaults. I see that async bundle replication happens when i apply but I wanted that apply to be automated.

I hope someone from Splunk reply or update documentation, if this can or cannot be done.

Thanks!

0 Karma
Get Updates on the Splunk Community!

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

🔐 Trust at Every Hop: How mTLS in Splunk Enterprise 10.0 Makes Security Simpler

From Idea to Implementation: Why Splunk Built mTLS into Splunk Enterprise 10.0  mTLS wasn’t just a checkbox ...