Getting Data In

Spunk indexes.conf by deployment server

lmjoin
Explorer

I have installed search head cluster and want pushing configuration by deployment server . But unable to find how to make and push indexes.conf to all indexers ( not in clustering ) . Thanks for reply in advance

Tags (1)
0 Karma
1 Solution

woodcock
Esteemed Legend

You need to create an app with a deploymentclient.conf that points to the Deployment Server. Then create another app with a indexes.conf in it. Then create $SPLUNK_HOME/etc/system/local/serverclass.conf with a serverclass entry that has a whitelist that matches all of your indexers and that contains both the apps that you created.

View solution in original post

lmjoin
Explorer

Hello David,

I have cra $SPLUNK_HOME/etc/deployment-apps/YOURAPP/local

I have put indexes.conf , props.conf and transforms.conf on on deployment server and

0 Karma

woodcock
Esteemed Legend

You need to create an app with a deploymentclient.conf that points to the Deployment Server. Then create another app with a indexes.conf in it. Then create $SPLUNK_HOME/etc/system/local/serverclass.conf with a serverclass entry that has a whitelist that matches all of your indexers and that contains both the apps that you created.

lmjoin
Explorer

Hello Woodcock,

Thanks for reply ,

please share doc or some things to create app for indexer and how to add indexer entry in serverclass.

Thanks
lalit

0 Karma

lmjoin
Explorer

Hello Woodcock,
I have created $SPLUNK_HOME/etc/deployment-apps/newapp_indexer/local/indexes.conf

and updated serverclass as

# Indexers
[serverClass:indexers]
whitelist.0 = 192.168.0.108
whitelist.1 = 192.168.0.109
restartSplunkd = False
[serverClass:indexers:app:indexerbase]
[serverClass:indexers:app:deploymentclient]
[serverClass:indexers:app:props]
[serverClass:indexers:app:tranforms]
0 Karma

woodcock
Esteemed Legend

Perfect. Now restart Splunk on the deployment server (or issue the reload command) to make it active and it should push out if you have manually put the deploymentclient app with the configured deploymentclient.conf file in it onto each Indexer and restarted all Splunk instances after that.

0 Karma

DavidHourani
Super Champion

Hi lmjoin!

So you can push your indexes.conf from deployment server but make sure you include a metadata config file so that configuration is exported to system.

In the app you will use for indexes make a folder called metadata and add a local.meta file into it containing the following:

# Application-level permissions
[]
access = read : [ * ], write : [ admin]
export = system

Let me know if that works out for you!

Best regards,
David

0 Karma

lmjoin
Explorer

Please share indexes.conf location on deployment server

0 Karma

DavidHourani
Super Champion

so you have to put indexes.conf in an application on $SPLUNK_HOME/etc/deployment-apps/YOURAPP/local this app needs to be pushed from the deployment server to the indexer that needs to be configured as a deployment client.

0 Karma

DavidHourani
Super Champion

@lmjoin, you don't need to edit your severclass manually. When you add your app to deployment-apps you can see it on the graphic interface under forwarder management on the deployment server. From there you can create the serverclass via GUI and add the app with indexes.conf in it and the indexers you wish to send it to 🙂

0 Karma

lmjoin
Explorer

ok thanks , i will try and back

0 Karma

lmjoin
Explorer

one extra question , props.conf and transforms.conf are created $SPLUNK_HOME/etc/deployment-apps/YOURAPP/local or it can be created by GUI

0 Karma

DavidHourani
Super Champion

You have to have the files manually added to deployment apps. You can however create on GUI and copy paste into deployment apps.

0 Karma

lmjoin
Explorer

how to create props.conf and transforms.conf by GUI , any idea , thanks in advance

0 Karma

DavidHourani
Super Champion

yeah, simply create a new data input and when you create it add a new sourcetype and configure it as needed. that will generate the files for you ^^

0 Karma

lmjoin
Explorer

Thanks for reply ,

I have put indexes.conf , props.conf and transforms.conf on $SPLUNK_HOME/etc/deployment-apps/YOURAPP/local on deployment server and push , it showing successfully done not found no indexes.conf,props.conf and transforms.conf on indexer ( independent not in clustering ) . Please help me.
Thanks
Lalit

0 Karma

DavidHourani
Super Champion

Hi Lalit,

Make sure you add the metadata folder in your your app with a file called "default.meta" within that file you need the following setting export=system

0 Karma

lmjoin
Explorer

Hello David,

I have created $SPLUNK_HOME/etc/deployment-apps/YOURAPP/metadata/default.mata and add export=system in it and then I apply

./splunk apply shcluster-bundle -target https://IP:8089 -auth admin:Password

But still not found no indexes.conf,props.conf and transforms.conf on indexer ( independent not in clustering ) .

Thanks
Lalit

0 Karma

DavidHourani
Super Champion

Hey there,

The command :
./splunk apply shcluster-bundle -target https://IP:8089 -auth admin:Password
Is for search head clusters. All ypu have to do is make sure your indexer is connected to the deployment server. Check your forwader management page from settings on yhe deployment server and see if your indexer is there. Avoid using the serverclass file and use the GUI because it is easier to use for starting

0 Karma

woodcock
Esteemed Legend

No, no, no. That command is for Deployer, not for Deployment Server. Just restart Splunk because you do not need a PW for that. The other command is: /opt/splunk/bin/splunk reload deploy-server -auth admin:PW

0 Karma

DavidHourani
Super Champion

Yeah, exactly!

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...