Splunk Enterprise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to create an app on SHC

tbenpr
New Member
‎11-25-2021 02:23 AM

Hello,

I am new to Splunk and I would like to create an app for my dashboards that would be visible on all Search Heads.

Can anyone help?

Labels (1)
Labels
0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎11-25-2021 02:51 AM

Hi

There are couple of ways to do it. It depends what are your Company's change management and application delivery policy. Below is shortly what those options can be. Those are not in preferred order. Of course these needs that you have enough rights to do these. Another option is as your Splunk Admin create that app and then you can do dashboards etc. under it.

  • Create App first in Deployer and then push it to SHC
    • You can create it with GUI or on filesystem level, but before push it must copied from .../etc/apps/<XYZ> to .../etc/shcluster/apps/<XYZ>
  • Create App in dev environment and then use e.g. git + CI/CD to deploy it to SHC via Deployer.

Anyhow you must create all new apps first in Deployer and then push those to SHC nodes. After that you could do changes directly on SHC (if permitted by your policy) or first in dev node and then push those changes via Deployer to SHC.

https://docs.splunk.com/Documentation/Splunk/8.2.3/DistSearch/PropagateSHCconfigurationchanges

r. Ismo

0 Karma
Reply

tbenpr
New Member
‎11-25-2021 06:47 AM

Hi,

Thank you for answear. I have few questions more:

During last moths I done some changes on existing apps (other than i want to create). Will push by Deployer overwrite my changes on thoose apps? In directory /etc/shcluster  I still have default apps (clear).
What should i backup to save all my changes?
Would copying the app for one of search heads to etc/shcluster will be good idea?

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎11-25-2021 07:02 AM

Choose a deployer push mode told to you what happening files on SHC with different push modes on Deployer. Rule of thumb is that Deployer overwrite everything on SHC nodes' default directories and leave those what are on local left. With push mode you can change that behaviour if/when needed.

Never ever push Splunk's default apps (e.g. search, launcher etc) from Deployer!!! For that reason it's a best practice to create separate app(s) for end users' own KOs.

It depends on our current (/previous) way, how you have managed those apps. Basically you could copy those configs from one SHC node to Deployer's shcluster apps directory, but then your should do merging SHC node's local to default dir on Deployer. Please read that SHC cluster documentation to understand how it works and what are limitations when you are using it. I cannot say what is best for your organisation without knowing much more your current situation and how you have manager processes and policies on your organisation.

r. Ismo

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing Splunk Enterprise 9.2

WATCH HERE! Watch this Tech Talk to learn about the latest features and enhancements shipped in the new Splunk ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...