Deployment Architecture

splunk deployment

Path Finder

I am going to be using splunk deployment server for the first time in our environment to deploy some changes into inputs.conf file,

I was wondering if this would fully replace the inputs.conf file in the deployment clients? or is it possible to use deployments servers to only push some new changes/ update the existing inputs.conf

Tags (1)
1 Solution

Motivator

Deployed apps will overwrite deployed configuration files. You will want to create custom apps to push out as to not mess with the default splunk apps -- you will run into interesting problems once you update your deployment clients as the installer may overwrite your changes and the config won't be redeployed until you change it at the deployment server.

I recommend the following approach:

  1. Determine what you want to deploy. Let's say you just need to push out one inputs.conf to index /var/log/helloworld.
  2. On your deployment server, under $SPLUNK_HOME/etc/deployment-apps/ create a new folder for your custom app. $SPLUNK_HOME/etc/deployment-apps/my-app/
  3. Under the $SPLUNK_HOME/etc/deployment-apps/my-app/ create a default folder.
  4. Create your inputs.conf under $SPLUNK_HOME/etc/deployment-apps/my-app/default.
  5. Add appropriate configuration into serverclass.conf to push out your custom app. http://www.splunk.com/base/Documentation/latest/Admin/Definedeploymentclasses
  6. Add deployment clients. http://www.splunk.com/base/Documentation/latest/Admin/Configuredeploymentclients

[edit: Removed last paragraph based on Lowell's advice]

View solution in original post

New Member

What about if your pushing the outputs.conf. There is no way to push this if there is an existing outputs.conf file without using /system/local in your deployment. Well, unless you go to all your clients and delete the outputs.conf first, but then I might as well just change it while I'm there. Re-deploy the splunk forwarder with no output.conf and then deploy with a different app. Seems drastic, but I'm suppose that would work. Seems easier to just push /system/local to the client.

0 Karma

Motivator

Deployed apps will overwrite deployed configuration files. You will want to create custom apps to push out as to not mess with the default splunk apps -- you will run into interesting problems once you update your deployment clients as the installer may overwrite your changes and the config won't be redeployed until you change it at the deployment server.

I recommend the following approach:

  1. Determine what you want to deploy. Let's say you just need to push out one inputs.conf to index /var/log/helloworld.
  2. On your deployment server, under $SPLUNK_HOME/etc/deployment-apps/ create a new folder for your custom app. $SPLUNK_HOME/etc/deployment-apps/my-app/
  3. Under the $SPLUNK_HOME/etc/deployment-apps/my-app/ create a default folder.
  4. Create your inputs.conf under $SPLUNK_HOME/etc/deployment-apps/my-app/default.
  5. Add appropriate configuration into serverclass.conf to push out your custom app. http://www.splunk.com/base/Documentation/latest/Admin/Definedeploymentclasses
  6. Add deployment clients. http://www.splunk.com/base/Documentation/latest/Admin/Configuredeploymentclients

[edit: Removed last paragraph based on Lowell's advice]

View solution in original post

Path Finder

Oh well, I actually want to pursue this as one time deployment only, at present the splunk forwarders have an inputs.conf file in /etc/system/local, so by precedence order it shouldnt override the first copy of inputs.conf right? please correct me if I am wrong...thanks

0 Karma

Motivator

@Lowell -- thanks! I had no idea. Then of course my deployment server doesn't work at this point due to some interesting scenario where SSL connections drop (SPL-30820) so that would explain why my local configs did not get overwritten 🙂

0 Karma

Super Champion

I gave you +1, then I got to your last paragraph.... You are wrong about the local directory thing: If you customize my-app/local/inputs.conf on a deployment client, the very next change to that app on the deployment server will trigger the client to download the new app, and it will overwrite the entire my-app folder structure, which includes everything in the "local" sub-folder. So, yes, you should be concerned about loosing your local changes, because you will loose them.

Contributor

My understanding is that it fully replaces the local/inputs.conf that you may have, meaning it does not append the current inputs.conf. My suggestion is to have your custom inputs.conf in an app folder instead, so there's no replacement, or create an inputs.conf on an app folder from your deployment.

0 Karma

Path Finder

because at present the splunk forwarders have their inputs.conf in /etc/system/local

0 Karma

Path Finder

Splunk by default looks through precedence structure to check for copies of configuration files right? so by default the deployment in the client could be pushed to one of the apps foldeR?

0 Karma