Installation
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Deployment applications

Cievo
Explorer
‎08-07-2024 11:24 AM

Hello

I have a problem with Deployment Server. I would like to setup e-mail settings for all my Splunk servers using Deployment application. I have created Deployment server, I have created classess and applicatoins I want to deploy. 

Application is downloading to right servers. Application is very simple. I had created file "/opt/splunk/etc/deployment-apps/setSplunkCommonConfig/default/xxx_alert.actions.conf" with following content:

[email]
allowedDomainList = domain.com
pdf.header_left = none
pdf.header_right = none

This application is downloaded to client and it is stored under "/opt/splunk/etc/apps/setSplunkCommonConfig" directory and file "xxx_alert.actions.conf" is there. 

So distribution of aplication looks working fine. But there I have problem that settings from file "xxx_alert.actions.conf" are not applied on client.

What am I doing wrong?

Deploy server can copy files to which directories "/opt/splunk/etc/system/local" or "/opt/splunk/etc/system/default" or both?

Than you for any hint.

 

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

isoutamo
SplunkTrust
SplunkTrust
‎08-08-2024 12:25 PM
Are you running splunk as root or some other user? Use root is against security practices!
If you are running it as splunk, you should also check btool with that user. Otherwise there is small possibility that those files are owned by root and splunk user haven’t read access to those.
Another option is that some options can set only in …/system/local. Unfortunately you cannot use DS to deploy those configuration into it.
Maybe it’s best to rise Spunk support case for it!

View solution in original post

Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎08-07-2024 12:04 PM

Is the client set to restart itself when it downloads the app?

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

Cievo
Explorer
‎08-07-2024 01:17 PM

I wanted to change "Allowed Domains" field under Server Settings -> Email settings.

When I do it using website I get following log in audit.log:

"changes":[{"stanza":"email","properties":[{"name":"allowedDomainList","new_value":"domain1.sk","old_value":""},

When new application is installed I can see following log line saying that value is changing:

"changes":[{"stanza":"email","properties":[{"name":"allowedDomainList","new_value":"domain2.sk","old_value":""},

But difference is, that if value is changed using deployment application, I don't see accurate change on website - Allowed Domains is empty.

 

How would you do this?

 

0 Karma
Reply
Solved! Jump to solution

Cievo
Explorer
‎08-07-2024 12:10 PM

Restart didn't help.

 

0 Karma
Reply
Solved! Jump to solution

isoutamo
SplunkTrust
SplunkTrust
‎08-08-2024 10:44 AM

Login to any of those servers and use 

splunk btool alert_actions list --debug

In this way you see from which file each setting is coming.

I’m not sure, but there could be some settings in this config which are working only from …/system/local or at least that was case on older versions (6.x and 7.x)?
r. Ismo

Reply
Solved! Jump to solution

Cievo
Explorer
‎08-08-2024 10:57 AM

Hello

Thank you for your answer. I tried your command and I have got:

root@MSVMSLMCLM01:/opt/splunk/bin# ./splunk btool alert_actions list --debug | grep allowed
/opt/splunk/etc/apps/setSplunkCommonConfig/default/alert_actions.conf allowedDomainList = domain.sk
root@MSVMSLMCLM01:/opt/splunk/bin# ./splunk btool alert_actions list --debug | grep from
/opt/splunk/etc/apps/setSplunkCommonConfig/default/alert_actions.conf from = splunk@domain.sk

So this looks like settings are used from correct file, file from pushed application. But when I check web on this machine, those values are empty:

Cievo_0-1723139827896.png

Any idea?

 

0 Karma
Reply
Solved! Jump to solution
Solution

isoutamo
SplunkTrust
SplunkTrust
‎08-08-2024 12:25 PM
Are you running splunk as root or some other user? Use root is against security practices!
If you are running it as splunk, you should also check btool with that user. Otherwise there is small possibility that those files are owned by root and splunk user haven’t read access to those.
Another option is that some options can set only in …/system/local. Unfortunately you cannot use DS to deploy those configuration into it.
Maybe it’s best to rise Spunk support case for it!
Reply
Solved! Jump to solution

Cievo
Explorer
‎08-12-2024 04:40 AM

You are absolutely right. Splunk ran under root account. I have changed it already, but it didn't help.

Normal universal forwarders works great, only Splunk servers don't change configuration. But I will handle it using ../local/ files as you suggested.

Thank you,

 

0 Karma
Reply
Solved! Jump to solution

Cievo
Explorer
‎08-07-2024 12:08 PM

Nope. Is it neccesary to restart splunkd?

0 Karma
Reply
Get Updates on the Splunk Community!

What's New in Splunk Enterprise 9.4: Features to Power Your Digital Resilience

Hey Splunky People! We are excited to share the latest updates in Splunk Enterprise 9.4. In this release we ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

SignalFlow: What? Why? How?

What is SignalFlow? Splunk Observability Cloud’s analytics engine, SignalFlow, opens up a world of in-depth ...