- Find Answers
- :
- Splunk Administration
- :
- Deployment Architecture
- :
- Re: why cluster master distribute an app instead o...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi
According to the document here, cluster master distributes an app under indexer clustering environment.
https://docs.splunk.com/Documentation/Splunk/8.1.3/Indexer/Manageappdeployment
I think if the app dose not have index-time extraction configuration, cluster master may distribute only indexes.conf. Why dose cluster master have to distribute whole app? I believe the app should be located only on search head. Because when search runs, search-time extraction conf (props.conf and transforms.conf) would be down to peers with bundle replication.
Could you please let me know why the docs says so? Is it best practice?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @brandy81,
as @aasabatini said (Ciao Alessandro!) there are more kinds of Apps to use in different server roles (from more infos see at https://docs.splunk.com/Documentation/Splunk/8.1.3/Admin/Whatsanapp😞
- proper Apps with dashboards only on Search Heads, these apps containg also all the search time knoledge objects and conf files;
- Add-Ons to provide specific capabilities to assist in gathering, normalizing, and enriching data sources, that can be installed in SHs in Indexers, Heavy Forwarders, Universal Forwarders.
As I said you can create one one App containing all the objects and install it in all your Splunk Servers or create different objects for the different roles, I already described pros and cons.
If you're speaking of apps to download from Splunkbase, in the installation instructions is described which object must be instaled for each role.
Only one final question: what's the problem?
As I said i always prefer semplicity in installation, so for Splunkbase Apps i follow instructions, for custom Apps I do at most two objects (sometimes also only one!).
Ciao.
Giuseppe
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @brandy81,
if you want to deploy only one or more conf files, you can do this putting those files in $SPLUNK_HOME/etc/master-apps/_cluster/local
But anyway I always prefer to use dedicated apps to deploy conf files to Indexers to have a more control on the installation: e.g. using only one indexes.conf, you could have stanzas of different apps and I don't like it!
In addition, apps aren't specific of Search Heads, but there are also specific apps for Indexers, Heavy Forwarders, Universal Forwarders.
Ciao.
Giuseppe
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @brandy81,
as @aasabatini said (Ciao Alessandro!) there are more kinds of Apps to use in different server roles (from more infos see at https://docs.splunk.com/Documentation/Splunk/8.1.3/Admin/Whatsanapp😞
- proper Apps with dashboards only on Search Heads, these apps containg also all the search time knoledge objects and conf files;
- Add-Ons to provide specific capabilities to assist in gathering, normalizing, and enriching data sources, that can be installed in SHs in Indexers, Heavy Forwarders, Universal Forwarders.
As I said you can create one one App containing all the objects and install it in all your Splunk Servers or create different objects for the different roles, I already described pros and cons.
If you're speaking of apps to download from Splunkbase, in the installation instructions is described which object must be instaled for each role.
Only one final question: what's the problem?
As I said i always prefer semplicity in installation, so for Splunkbase Apps i follow instructions, for custom Apps I do at most two objects (sometimes also only one!).
Ciao.
Giuseppe
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @gcusello
Thank you for your answer. The reason I asked this questions is recently I had to deploy an app containing props.conf and transforms.conf which configure index-time field extraction. I was wondering if I need to deploy the app into search head or indexers.
Thank you @gcusello @aasabatini
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @brandy81,
good for you, see next time!
Ciao and happy splunking.
Giuseppe
P.S.: Karma points are appreciated 😉
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @gcusello
Thank you for your answer. Let me ask further questions.
In many cases, props.conf includes index-time related configurations and search-time related configurations both. Do I have to split each conf and then deploy one with index-time config with cluster master to peers and another one with search-time config with deployer to search head cluster member?
You said apps are not specific of search head, but I believe most of app including dashboards should be deployed on Search head.
Please let me know what is the best practice for props.conf deploy. Thanks.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @brandy81
to help you I use the example the windows app.
Generally the apps on the splunkbase are dived on two types:
- Windows app for dashboard report and visualization to be installed on search head https://splunkbase.splunk.com/app/1680/
- Add on with all parsing configurations to be installed both indexer or search head
https://splunkbase.splunk.com/app/742/
the best pratices is: the technology add-ons to be installed both the splunk server (HF,Indexer and Search head)
App with dashboards and reports only on the search heads
Regards
Alessandro
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi, @aasabatini
Thank you. In your explanation,
"Add-on with all parsing configurations to be installed both indexer and search head"
--> Is it because that add-ons have search-time configuration and index-time configuration both? As I wrote down, I think only index-time configuration should be on indexers and search-time configuration dose not need to located on indexers. Am I wrong?
As I see the answer here:
"If search time you'll want your TA's on the search head server class, if index time, the indexer class"
m bit confused.. Thanks a lot.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @brandy81,
you can follow two approaches:
- create specific Add-Ons for each kind of Splunk Server, containing only what really needs to it;
- create global Add-Ons for all Splunk Servers.
I prefer the first, because it's optimized for the server role, but the second it's easier to maintain.
Choose the one you prefer.
In both cases,. create a complete documentation.
Ciao.
Giuseppe
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @brandy81
From best practices, you must also install the Technology add-ons (TA) on the indexers to be able to parse the data in index time not only in search time.
Data parsed in idex time are better, because don't consume all resources from search heads.
Splunk Enterprise Security 8.0.2 Availability: On cloud and On-premise!
Logs to Metrics
Developer Spotlight with Paul Stout
