Splunk Enterprise

How to configure the cluster peers inputs.conf file through the Cluster Master

mcirrici
Explorer

I'm tasked with moving the $SPLUNK_HOME/etc/system/local/ conf files within our peer nodes to their own Splunk apps for easier management using the deployment-server/cluster master method.

Since, we are using third-party SSL certificates to secure log ingestion from the forwarders each peer has their own unique .pem file.

What is the best way to incorporate the inputs.conf file regarding the SSL configs, for all peer nodes within a Splunk app that will be distributed to all peers?

Specifically, I'm referring to the serverCert option, which has a different filename on each peer node. All other config options are the same within the inputs.conf files.

Thanks!

Labels (3)
0 Karma

kjstogn
Explorer

I think this may help: https://docs.splunk.com/Documentation/Splunk/8.2.2/Indexer/Managesinglepeerconfigurations

I get what your saying as if you theoretically have 3 Indexer Peers therefore 3 different inputs.conf allowing Splunk SSL receiving.

If it is a small deployment I would manage it on a peer by peer basis and locally configure it in its own app context/repository.

Or use the same cert and password throughout (probably not what you want) and use the deployment server to deploy it as an app

0 Karma

thambisetty
SplunkTrust
SplunkTrust

search peers ( Indexers participating in Indexer cluster)  are always managed by Cluster Master. Configuration will be kept under $SPLUNK_HOME/etc/master-apps

The same configuration needs to be pushed to search peers which are indexers. same configuration will be kept under $SPLUNK_HOME/etc/slave-apps in search peers.

To Move inputs.conf which is in system/local on Indexers:

  1. create an app "Indexers_inputs" under $SPLUNK_HOME/etc/master-apps on Cluster master
  2. create a directory "local" under $SPLUNK_HOME/etc/master-apps/Indexers_inputs on Cluster master
  3. move your inputs.conf to $SPLUNK_HOME/etc/master-apps/Indexers_inputs/local
  4. Then deploy app to search peers from cluster master using below command

$SPLUNK_HOME/bin/splunk apply cluster-bundle

————————————
If this helps, give a like below.
0 Karma
Get Updates on the Splunk Community!

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...