Deployment Architecture

is there a way to import local changes on SHC peers' apps back to the deployer?

sonny_monti
Path Finder

Dear comunity,

I would like to maintain the search peers' status of every app in the deployer, and not on search peers' local folder.

I really like to have every single configuration and app in the deployer's shcluster folder. For custom apps I always put everything in the default folder.
The problem is that customizations or new features made via splunk-web are NOT reflected in the shcluster folder of the deployer, instead, they are only present in the cluster's peers local folder.

Since I have hundreds of custom apps, my current idea to do this is to write a program that checks the difference between deployer's stanzas and the related stanzas on the search peers (using btool to get the actually used configurations) , and then merges them (for custom apps I will then put this merge in the default folder).

Does anybody have a better idea?

0 Karma
1 Solution

gcusello
SplunkTrust
SplunkTrust

Hi sonny_monti,
in a Search Head Cluster all configurations are replicated between peers by the Captain, also all updates on configurations and lookups; the need to have an updated copy of all apps on the Deployer is relevant only when you want to add new apps from the Deployer to the Cluster Members, because the push of the new app pushes also the other apps.

In this case you have to follow the procedure described at https://docs.splunk.com/Documentation/Splunk/7.3.2/DistSearch/PropagateSHCconfigurationchanges

So, let SHC run by itselft and eventually copy apps from a Search Head to Deployer for future uses: to do this, you can create a script that automatically copies apps from the member's $SPLUNK_HOME/etc/apps folder to the Deployer's $SPLUNK_HOME/etc/shcluster folder or exewcute a manual copy (I always use this way!).

When you push apps from Deployer to the members, remember to preserve lookup files across app upgrades using the option -preserve-lookups in the push command or the deployer_lookups_push_mode = preserve_lookups option in [shclustering] stanza in $SPLUNK_HOME/etc/system/local/app.conf

Bye.
Giuseppe

View solution in original post

gcusello
SplunkTrust
SplunkTrust

Hi sonny_monti,
in a Search Head Cluster all configurations are replicated between peers by the Captain, also all updates on configurations and lookups; the need to have an updated copy of all apps on the Deployer is relevant only when you want to add new apps from the Deployer to the Cluster Members, because the push of the new app pushes also the other apps.

In this case you have to follow the procedure described at https://docs.splunk.com/Documentation/Splunk/7.3.2/DistSearch/PropagateSHCconfigurationchanges

So, let SHC run by itselft and eventually copy apps from a Search Head to Deployer for future uses: to do this, you can create a script that automatically copies apps from the member's $SPLUNK_HOME/etc/apps folder to the Deployer's $SPLUNK_HOME/etc/shcluster folder or exewcute a manual copy (I always use this way!).

When you push apps from Deployer to the members, remember to preserve lookup files across app upgrades using the option -preserve-lookups in the push command or the deployer_lookups_push_mode = preserve_lookups option in [shclustering] stanza in $SPLUNK_HOME/etc/system/local/app.conf

Bye.
Giuseppe

sonny_monti
Path Finder

Grazie, sarebbe però una bomba se il processo di riportare le custom apps al deployer fosse una feature di splunk, è un po' una menata doverlo fare a mano, e dover fare il merge nel default di ciò che hai configurato in local.

gcusello
SplunkTrust
SplunkTrust

I completely agree!!
The main question is: What is the Deployer used for?

Ciao, alla prossima.
Giuseppe

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...