Splunk Dev
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Support for Search Head Clustering

jamos_bt
Engager
‎12-14-2023 09:24 AM

I wish I were more well-versed in the various deployment architectures for Splunk and what they mean as far as app / add-on deployment, but I'm not and am stuck at the moment.

A customer has asked whether an app we have published to Splunkbase support Search Head Clustering.  Having read through some documentation on what it is and how it works, I'm still uncertain as to what that means with respect to my app.  

Does anyone know (or can point me to a resource that I've yet to unearth) what does "support Search Head Clustering" mean and how would I know whether my app supports it / what must be done by an app developer to support it?

I can say with certainty that we did not do anything special during the development process to support this, but that doesn't mean it isn't support inherently ... so I'm at a loss.  🙂

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

VatsalJagani
SplunkTrust
SplunkTrust
‎12-14-2023 10:12 PM

@jamos_bt - Here are some key pointers to keep in mind as a developer of App

  • Search head cluster meaning, 3 or more SHs being in sync with each other for configuration and lookups.
  • Splunk handles the configuration sync automatically as far as you follow the practice, detailed below.
  • Your App will be installed from another Splunk machine called "Deployer".
    • You can ask the user to make some config on the deployer directly, but you don't need to as far as your configs are getting synced properly.
  • To ensure the configuration is in sync keep this in mind:
    • Do not make config file modifications directly on the system, use Splunk Rest endpoints to make changes to config files.
    • Including your App's configuration page if any should only make changes via Rest endpoint.
    • Do not make lookup file modifications directly on the system, use either Splunk rest endpoints or outputlookup command to make changes to lookups.
  • Your alerts will be executed only on 1 instance, decided by the SHC captain at runtime. And it could be different all the time.
  • Your dashboard should work as is as long as you are not doing anything crazy.

 

I hope this helps!!!

View solution in original post

Reply
Solved! Jump to solution
Solution

VatsalJagani
SplunkTrust
SplunkTrust
‎12-14-2023 10:12 PM

@jamos_bt - Here are some key pointers to keep in mind as a developer of App

  • Search head cluster meaning, 3 or more SHs being in sync with each other for configuration and lookups.
  • Splunk handles the configuration sync automatically as far as you follow the practice, detailed below.
  • Your App will be installed from another Splunk machine called "Deployer".
    • You can ask the user to make some config on the deployer directly, but you don't need to as far as your configs are getting synced properly.
  • To ensure the configuration is in sync keep this in mind:
    • Do not make config file modifications directly on the system, use Splunk Rest endpoints to make changes to config files.
    • Including your App's configuration page if any should only make changes via Rest endpoint.
    • Do not make lookup file modifications directly on the system, use either Splunk rest endpoints or outputlookup command to make changes to lookups.
  • Your alerts will be executed only on 1 instance, decided by the SHC captain at runtime. And it could be different all the time.
  • Your dashboard should work as is as long as you are not doing anything crazy.

 

I hope this helps!!!

Reply
Solved! Jump to solution

jamos_bt
Engager
‎12-15-2023 07:15 AM

Thank you, @VatsalJagani!  That is precisely the sort of information I'd been trying to find.  From what you've stated, I think our app may indeed support SHC.

The initial structure of the app was created using Splunk's Add-on Builder app with inputs defined as modular inputs backed by custom Python code.  So all the configuration is stored as parameters on these inputs and provided via the Splunk web interface.

The only other information is stored and read by the app is a bit of state info that lives in StoragePasswords.  The AoB framework provides a helper that provides access to various services such as storage_passwords, and I would assume that it's making REST calls behind the scenes.

Anyway, thank you again.  I appreciate the response!

0 Karma
Reply
Solved! Jump to solution

VatsalJagani
SplunkTrust
SplunkTrust
‎12-18-2023 02:41 AM

Perfect!!! Yes, as far you are not doing anything fancy it should be SHC supported.

0 Karma
Reply
Get Updates on the Splunk Community!

Join Us for Splunk University and Get Your Bootcamp Game On!

If you know, you know! Splunk University is the vibe this summer so register today for bootcamps galore ...

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

.conf24 is taking place at The Venetian in Las Vegas from June 11 - 14. Continue reading to learn about the ...

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...