Deployment Architecture

splunk deployment

heterodyned
Path Finder

I am going to be using splunk deployment server for the first time in our environment to deploy some changes into inputs.conf file,

I was wondering if this would fully replace the inputs.conf file in the deployment clients? or is it possible to use deployments servers to only push some new changes/ update the existing inputs.conf

Tags (1)
1 Solution

ftk
Motivator

Deployed apps will overwrite deployed configuration files. You will want to create custom apps to push out as to not mess with the default splunk apps -- you will run into interesting problems once you update your deployment clients as the installer may overwrite your changes and the config won't be redeployed until you change it at the deployment server.

I recommend the following approach:

  1. Determine what you want to deploy. Let's say you just need to push out one inputs.conf to index /var/log/helloworld.
  2. On your deployment server, under $SPLUNK_HOME/etc/deployment-apps/ create a new folder for your custom app. $SPLUNK_HOME/etc/deployment-apps/my-app/
  3. Under the $SPLUNK_HOME/etc/deployment-apps/my-app/ create a default folder.
  4. Create your inputs.conf under $SPLUNK_HOME/etc/deployment-apps/my-app/default.
  5. Add appropriate configuration into serverclass.conf to push out your custom app. http://www.splunk.com/base/Documentation/latest/Admin/Definedeploymentclasses
  6. Add deployment clients. http://www.splunk.com/base/Documentation/latest/Admin/Configuredeploymentclients

[edit: Removed last paragraph based on Lowell's advice]

View solution in original post

irievibe
Explorer

What about if your pushing the outputs.conf. There is no way to push this if there is an existing outputs.conf file without using /system/local in your deployment. Well, unless you go to all your clients and delete the outputs.conf first, but then I might as well just change it while I'm there. Re-deploy the splunk forwarder with no output.conf and then deploy with a different app. Seems drastic, but I'm suppose that would work. Seems easier to just push /system/local to the client.

0 Karma

ftk
Motivator

Deployed apps will overwrite deployed configuration files. You will want to create custom apps to push out as to not mess with the default splunk apps -- you will run into interesting problems once you update your deployment clients as the installer may overwrite your changes and the config won't be redeployed until you change it at the deployment server.

I recommend the following approach:

  1. Determine what you want to deploy. Let's say you just need to push out one inputs.conf to index /var/log/helloworld.
  2. On your deployment server, under $SPLUNK_HOME/etc/deployment-apps/ create a new folder for your custom app. $SPLUNK_HOME/etc/deployment-apps/my-app/
  3. Under the $SPLUNK_HOME/etc/deployment-apps/my-app/ create a default folder.
  4. Create your inputs.conf under $SPLUNK_HOME/etc/deployment-apps/my-app/default.
  5. Add appropriate configuration into serverclass.conf to push out your custom app. http://www.splunk.com/base/Documentation/latest/Admin/Definedeploymentclasses
  6. Add deployment clients. http://www.splunk.com/base/Documentation/latest/Admin/Configuredeploymentclients

[edit: Removed last paragraph based on Lowell's advice]

heterodyned
Path Finder

Oh well, I actually want to pursue this as one time deployment only, at present the splunk forwarders have an inputs.conf file in /etc/system/local, so by precedence order it shouldnt override the first copy of inputs.conf right? please correct me if I am wrong...thanks

0 Karma

ftk
Motivator

@Lowell -- thanks! I had no idea. Then of course my deployment server doesn't work at this point due to some interesting scenario where SSL connections drop (SPL-30820) so that would explain why my local configs did not get overwritten 🙂

0 Karma

Lowell
Super Champion

I gave you +1, then I got to your last paragraph.... You are wrong about the local directory thing: If you customize my-app/local/inputs.conf on a deployment client, the very next change to that app on the deployment server will trigger the client to download the new app, and it will overwrite the entire my-app folder structure, which includes everything in the "local" sub-folder. So, yes, you should be concerned about loosing your local changes, because you will loose them.

BunnyHop
Contributor

My understanding is that it fully replaces the local/inputs.conf that you may have, meaning it does not append the current inputs.conf. My suggestion is to have your custom inputs.conf in an app folder instead, so there's no replacement, or create an inputs.conf on an app folder from your deployment.

0 Karma

heterodyned
Path Finder

because at present the splunk forwarders have their inputs.conf in /etc/system/local

0 Karma

heterodyned
Path Finder

Splunk by default looks through precedence structure to check for copies of configuration files right? so by default the deployment in the client could be pushed to one of the apps foldeR?

0 Karma
Get Updates on the Splunk Community!

Routing Data to Different Splunk Indexes in the OpenTelemetry Collector

This blog post is part of an ongoing series on OpenTelemetry. The OpenTelemetry project is the second largest ...

Getting Started with AIOps: Event Correlation Basics and Alert Storm Detection in ...

Getting Started with AIOps:Event Correlation Basics and Alert Storm Detection in Splunk IT Service ...

Register to Attend BSides SPL 2022 - It's all Happening October 18!

Join like-minded individuals for technical sessions on everything Splunk!  This is a community-led and run ...