Security

splunk set web-port 8888 - what about large rollout?

chicodeme
Communicator

It seems that splunk has some things to work on when rolling out its product to large corporate environments. We have a lot of web servers out there and port 8000 is commonly used. So, when trying to rollout splunk via cmdline scripting, there is no way to have the port added until the product is up and running and then you can run ./splunk set web-port 8888

So the best I can come up with is creating this file before starting splunk: /opt/splunk/etc/system/local/web.conf [settings] httpport = 8888

This of course is a hack way to do it. There should be a install file or cmdline utils that don't require splunk to be running to configure things like this.

Anyone else have any other ideas?

Oh yeah here are a few other things that don't work right from a cmdline large rollout perspective.

  • Solaris pgk file silent install doesn't work
  • There is no way to manage the global config files in /opt/splunk/etc/system/local via deployment manager
  • After each upgrade of the software you have to accept the license even though you are already using the splunk forwarder license. A step that should not be required even with (start --answer-yes --no-prompt --accept-license)
  • The product has to start and create db files even though your just going to turn it into a lightweightforwarder and not need them.
  • Why does the web client even have to start the first time. I want it off on the lightweightforwarder before splunk even ever starts up.

I put this info down in hopes that splunk creates a mechanism for helping roll out their product in a more automated and controlled fashion. I heard they were going to have a packaged lightweightforwarder client to rollout. I don't know how true that is, but it would be nice.

Tags (3)
0 Karma
1 Solution

gkanapathy
Splunk Employee
Splunk Employee
  • I don't know, but that seems like a bug or a docs problem. If you haven't already looked, maybe Support has a workaround or instructions.
  • As I've said before, there should be basically nothing in that location except the server-specific files (which are generated by first-time run). There is nothing that needs to go here that wouldn't be better into an app folder instead.
  • I just modify the default start script to always include these flags.
  • You can enable the LWF via conf file before first-time run.
  • It does not. Just enable the LWF via conf file before the first-time run. You can or disable any and all Splunk configurations, including for example disabling the web server (not necessary if you've enable LWF), before first-time run by installing the appropriate conf files.

View solution in original post

0 Karma

gkanapathy
Splunk Employee
Splunk Employee
  • I don't know, but that seems like a bug or a docs problem. If you haven't already looked, maybe Support has a workaround or instructions.
  • As I've said before, there should be basically nothing in that location except the server-specific files (which are generated by first-time run). There is nothing that needs to go here that wouldn't be better into an app folder instead.
  • I just modify the default start script to always include these flags.
  • You can enable the LWF via conf file before first-time run.
  • It does not. Just enable the LWF via conf file before the first-time run. You can or disable any and all Splunk configurations, including for example disabling the web server (not necessary if you've enable LWF), before first-time run by installing the appropriate conf files.
0 Karma

chicodeme
Communicator

my main focus is rolling out the software to ~1,000 servers.. I can tell you that without a doubt splunk has a lot of work to do in order to make the product better suited for that type of job based on the problems mentioned herein. the answers given herein are not how you design a product for large scale rollouts.. anyone that claims different hasn't one or hasn't done enough of them... the answers are doable and work arounds but i'm not a satisfied paying customer.. so i'm leaving my feedback to the community in hopes splunk engineers will make this part of splunk better..

0 Karma

gkanapathy
Splunk Employee
Splunk Employee

yeah it's annoying. comments do some of the formatting, but not all of it.

0 Karma

gkanapathy
Splunk Employee
Splunk Employee

All of the configs I mentioned are deployable via deployment server via the exact same mechanism that you would use to do the initial install. The software will come with certain default configurations that will not suit everyone, but all of these default configurations can be overridden by just placing new configuration files either before first run via file copy or tar, or via Deployment Server.

0 Karma

chicodeme
Communicator

sorry about that formatting.. seems comments just wrap up like that..

0 Karma

chicodeme
Communicator

Editing configuration files in different places are work-arounds. There should be a centralized way to manage it.. like a cmdline interface that doesn't require splunk to be running. that way when the configs change its maintainable. or maybe a silent install file that can be used.. etc..
- its a bug. support is working on it
- that overlooks the importance of proper organization, management, & inheritance
- me too.. not the right way to do it though
- not good enough
- not good enough

sorry i wasn't more clear.. i'm trying to make a point to splunk of a bigger problem they need to solve..

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...