i'm looking into how to automate splunk setup for newly spun up servers. As i'm still not the most proficient with the splunk internal configs to determine whats needed and whats not i want some guidance as to which config files i need to alter in order to prepare the newly spun up server to be plugged into the wider splunk deployment.
Currently we have a distributed multisite setup and the idea is to have a collection of the configs needed so that we can just alter and push them to the new server given the servers task, be it Indexer, search head or any other server we potentially need.
So what i'm asking for is a pointer to which config files that needs to be staged for setup. ( I assume it's mostly the ../system/*.conf files but if there are any others to keep a look out for)
do you want to have an installation package with all setups or to configure Forwarders after installation?
if the first, you can create an installation bundle (on Linux)taking all the splunk folder of an existing installed forwarder and changing the hostname only in two files in $SPLUNK_HOME/etc/system/local/:
If instead you need to send configurations to one or more forwarders, you can use the Deployment Server as you can read at https://docs.splunk.com/Documentation/Splunk/9.0.0/Updating/Aboutdeploymentserver.
In few words, all the Splunk configurations are in $SPLUNK_HOME/etc/.
My hint is to create an App, called e.g. TA_Forwarders, containing only three conf files:
Then, once installed the Forwarder on a machine, you have to copy this app on $SPLUNK_HOME/etc/apps and restart Splunk on the Forwarder, so the Forwarder will be connected with the Deployment Server that will send to it all configurations.
thanks for the reply, and sorry for the late reply.
It is more wanting to automate setup of the "core" (indexers, search heads, clusters, deployers and the like). i've recently found an article by splunk on how to use ansible for the automation part.
now I'm essentially looking for the configs I need in order to spin up another server based on our configs and what it needs to be. I'm not sure if all the conf's i need are all located in splunk/etc/system/local.
Forwarders are a secondary concern at the moment, so not important
it's usually usefule to clone a Splunk installation only for Forwarders, for Splunk servers, I think that' easier to make a new installation and configure the new server as you need.
I say this because you should create a clone for each role (Indexer, Search Head, Heavy Forwarders, etc...) and then manually customize the clone: it's easier to install by scratch the new Splunk Server.
Ansible is usually used for Forwarders, because there's no sense to use Ansible for Splunk Servers.
About Splunk configuration files, only few of them ar in $SPLUNK_HOME/system/local: they are usually distributed in many folders in $SPLUNK_HOME/etc folder.