Installation
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Splunk etc app directories

dahlberg
New Member
‎03-27-2017 08:49 AM

I inherited a Splunk installation and I'm a little confused about the app directories in $SPLUNK_HOME/etc (I'm sure its probably answered in docs.splunk.com, and I've looked but I can't seem to find where this might be documented)

(1) I have both a standalone Splunk installation and an installation with a cluster manager. In each installation there is an "apps", "deployment-apps", "master-apps" and "system" directory in $SPLUNK_HOME/etc. When would I use each specific directory?

(2) Within "apps", "deployment-apps", and "master-apps", there are directories (that have the standard default/local/metadata subdirectories) called IA-appname and TA-appname where appname is something like "shibboleth" for data forwarded from Shibboleth servers. What goes in the IA dirs and what goes in the TA dirs?

(3) Is there a way (either CLI or Web GUI) to determine if the changes I've made or IA/TA subdirectories I've created have been incorporated into the Splunk configuration?

Thanks for any help/suggestions/links you can offer.

Mike

0 Karma
Reply

dhirendra761
Contributor
‎12-02-2019 11:04 PM

Go-tourgh this link https://wiki.splunk.com/Where_do_I_configure_my_Splunk_settings%3F

0 Karma
Reply

ddrillic
Ultra Champion
‎03-27-2017 03:43 PM

Because the Splunk Enterprise software package contains the Indexer, the Search Head, the Deployment Server, the Deployer and more, it gets tricky.

Therefore, it depends on the context - on the Deployment Server $SPLUNK_HOME/etc/deployment-apps contains all the apps to be distributed to the forwarders. On the Deployer Server, in a cluster, $SPLUNK_HOME/etc/shcluster/apps holds the apps to be distributed to the Search Heads. On the Search Head, $SPLUNK_HOME/etc/apps holds the apps themselves.

$SPLUNK_HOME/etc/master-apps is to distribute apps to the indexers - Manage app deployment across all peers

Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...