It seems that splunk has some things to work on when rolling out its product to large corporate environments. We have a lot of web servers out there and port 8000 is commonly used. So, when trying to rollout splunk via cmdline scripting, there is no way to have the port added until the product is up and running and then you can run ./splunk set web-port 8888
So the best I can come up with is creating this file before starting splunk: /opt/splunk/etc/system/local/web.conf [settings] httpport = 8888
This of course is a hack way to do it. There should be a install file or cmdline utils that don't require splunk to be running to configure things like this.
Anyone else have any other ideas?
Oh yeah here are a few other things that don't work right from a cmdline large rollout perspective.
I put this info down in hopes that splunk creates a mechanism for helping roll out their product in a more automated and controlled fashion. I heard they were going to have a packaged lightweightforwarder client to rollout. I don't know how true that is, but it would be nice.
my main focus is rolling out the software to ~1,000 servers.. I can tell you that without a doubt splunk has a lot of work to do in order to make the product better suited for that type of job based on the problems mentioned herein. the answers given herein are not how you design a product for large scale rollouts.. anyone that claims different hasn't one or hasn't done enough of them... the answers are doable and work arounds but i'm not a satisfied paying customer.. so i'm leaving my feedback to the community in hopes splunk engineers will make this part of splunk better..
All of the configs I mentioned are deployable via deployment server via the exact same mechanism that you would use to do the initial install. The software will come with certain default configurations that will not suit everyone, but all of these default configurations can be overridden by just placing new configuration files either before first run via file copy or tar, or via Deployment Server.
Editing configuration files in different places are work-arounds. There should be a centralized way to manage it.. like a cmdline interface that doesn't require splunk to be running. that way when the configs change its maintainable. or maybe a silent install file that can be used.. etc..
- its a bug. support is working on it
- that overlooks the importance of proper organization, management, & inheritance
- me too.. not the right way to do it though
- not good enough
- not good enough
sorry i wasn't more clear.. i'm trying to make a point to splunk of a bigger problem they need to solve..