Deployment Architecture

is there a way to import local changes on SHC peers' apps back to the deployer?

sonny_monti
Path Finder

Dear comunity,

I would like to maintain the search peers' status of every app in the deployer, and not on search peers' local folder.

I really like to have every single configuration and app in the deployer's shcluster folder. For custom apps I always put everything in the default folder.
The problem is that customizations or new features made via splunk-web are NOT reflected in the shcluster folder of the deployer, instead, they are only present in the cluster's peers local folder.

Since I have hundreds of custom apps, my current idea to do this is to write a program that checks the difference between deployer's stanzas and the related stanzas on the search peers (using btool to get the actually used configurations) , and then merges them (for custom apps I will then put this merge in the default folder).

Does anybody have a better idea?

0 Karma
1 Solution

gcusello
SplunkTrust
SplunkTrust

Hi sonny_monti,
in a Search Head Cluster all configurations are replicated between peers by the Captain, also all updates on configurations and lookups; the need to have an updated copy of all apps on the Deployer is relevant only when you want to add new apps from the Deployer to the Cluster Members, because the push of the new app pushes also the other apps.

In this case you have to follow the procedure described at https://docs.splunk.com/Documentation/Splunk/7.3.2/DistSearch/PropagateSHCconfigurationchanges

So, let SHC run by itselft and eventually copy apps from a Search Head to Deployer for future uses: to do this, you can create a script that automatically copies apps from the member's $SPLUNK_HOME/etc/apps folder to the Deployer's $SPLUNK_HOME/etc/shcluster folder or exewcute a manual copy (I always use this way!).

When you push apps from Deployer to the members, remember to preserve lookup files across app upgrades using the option -preserve-lookups in the push command or the deployer_lookups_push_mode = preserve_lookups option in [shclustering] stanza in $SPLUNK_HOME/etc/system/local/app.conf

Bye.
Giuseppe

View solution in original post

gcusello
SplunkTrust
SplunkTrust

Hi sonny_monti,
in a Search Head Cluster all configurations are replicated between peers by the Captain, also all updates on configurations and lookups; the need to have an updated copy of all apps on the Deployer is relevant only when you want to add new apps from the Deployer to the Cluster Members, because the push of the new app pushes also the other apps.

In this case you have to follow the procedure described at https://docs.splunk.com/Documentation/Splunk/7.3.2/DistSearch/PropagateSHCconfigurationchanges

So, let SHC run by itselft and eventually copy apps from a Search Head to Deployer for future uses: to do this, you can create a script that automatically copies apps from the member's $SPLUNK_HOME/etc/apps folder to the Deployer's $SPLUNK_HOME/etc/shcluster folder or exewcute a manual copy (I always use this way!).

When you push apps from Deployer to the members, remember to preserve lookup files across app upgrades using the option -preserve-lookups in the push command or the deployer_lookups_push_mode = preserve_lookups option in [shclustering] stanza in $SPLUNK_HOME/etc/system/local/app.conf

Bye.
Giuseppe

sonny_monti
Path Finder

Grazie, sarebbe però una bomba se il processo di riportare le custom apps al deployer fosse una feature di splunk, è un po' una menata doverlo fare a mano, e dover fare il merge nel default di ciò che hai configurato in local.

gcusello
SplunkTrust
SplunkTrust

I completely agree!!
The main question is: What is the Deployer used for?

Ciao, alla prossima.
Giuseppe

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...