Splunk Enterprise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to configure the cluster peers inputs.conf file through the Cluster Master

mcirrici
Explorer
‎09-14-2020 07:05 AM

I'm tasked with moving the $SPLUNK_HOME/etc/system/local/ conf files within our peer nodes to their own Splunk apps for easier management using the deployment-server/cluster master method.

Since, we are using third-party SSL certificates to secure log ingestion from the forwarders each peer has their own unique .pem file.

What is the best way to incorporate the inputs.conf file regarding the SSL configs, for all peer nodes within a Splunk app that will be distributed to all peers?

Specifically, I'm referring to the serverCert option, which has a different filename on each peer node. All other config options are the same within the inputs.conf files.

Thanks!

Labels (3)
0 Karma
Reply

kjstogn
Explorer
‎11-02-2021 10:55 AM

I think this may help: https://docs.splunk.com/Documentation/Splunk/8.2.2/Indexer/Managesinglepeerconfigurations

I get what your saying as if you theoretically have 3 Indexer Peers therefore 3 different inputs.conf allowing Splunk SSL receiving.

If it is a small deployment I would manage it on a peer by peer basis and locally configure it in its own app context/repository.

Or use the same cert and password throughout (probably not what you want) and use the deployment server to deploy it as an app

0 Karma
Reply

thambisetty
SplunkTrust
SplunkTrust
‎09-20-2020 02:15 AM

search peers ( Indexers participating in Indexer cluster)  are always managed by Cluster Master. Configuration will be kept under $SPLUNK_HOME/etc/master-apps

The same configuration needs to be pushed to search peers which are indexers. same configuration will be kept under $SPLUNK_HOME/etc/slave-apps in search peers.

To Move inputs.conf which is in system/local on Indexers:

  1. create an app "Indexers_inputs" under $SPLUNK_HOME/etc/master-apps on Cluster master
  2. create a directory "local" under $SPLUNK_HOME/etc/master-apps/Indexers_inputs on Cluster master
  3. move your inputs.conf to $SPLUNK_HOME/etc/master-apps/Indexers_inputs/local
  4. Then deploy app to search peers from cluster master using below command

$SPLUNK_HOME/bin/splunk apply cluster-bundle

————————————
If this helps, give a like below.
0 Karma
Reply
Get Updates on the Splunk Community!

Cloud Platform & Enterprise: Classic Dashboard Export Feature Deprecation

As of Splunk Cloud Platform 9.3.2408 and Splunk Enterprise 9.4, classic dashboard export features are now ...

Explore the Latest Educational Offerings from Splunk (November Releases)

At Splunk Education, we are committed to providing a robust learning experience for all users, regardless of ...

New This Month in Splunk Observability Cloud - Metrics Usage Analytics, Enhanced K8s ...

The latest enhancements across the Splunk Observability portfolio deliver greater flexibility, better data and ...