I am trying to build some modular documentation as a Splunk app on a site with a indexer- and search head cluster. Some of the reasoning behind this is that I spend quite some time researching existing configuration when I'm about to make new changes . Thus I would like to be able to create views showing me details from props, transforms and indexes on the search heads.
My question is; do you see any potential pitfalls by having the configuration on search heads as well as the indexers? Or, are there any other solution for being able to view configuration on the indexer peers from the search heads?
Cheers!
Have you seen the Admin's Little Helper app (https://splunkbase.splunk.com/app/6368). It includes a btool command that lets you see your configurations on both SH and indexers using SPL.
While many configurables can be loaded safely on either/both SH and indexer, others cannot. Inputs and outputs are good examples. Clustering settings are another.
Hi
You could use @richgalloway 's presented apps. I think that there was presentation about it last our previous .conf? Other option is just use REST requests to get that information what you want to show.
On Splunk Cloud you haven't rest access to indexers and otherwise it has restricted amount of endpoints in use. For that reason you cannot get all that information with this way.
IMHO: You should have all this kind of configuration in some version control system like git. Create needed Apps and TAs to store those. Maybe separate TAs based on your needs between HF/UF, Indexers and SH. Then just use any suitable methods / processes to install those into correct environment.
Try to avoid configure that kind of information via both GUI and conf files. In long run you will avoid lot of issues to use git + Apps/TAs with conf files!
r. Ismo
Thanks for the reply @isoutamo.. I'll definently have a look at the .conf presentation!
With regards to asking for the details from REST I've only been able to query details from the search heads ie.
splunk_server=local
by searching.
I'm not sure I was clear on the reason behind my question but what I'm looking for is a way to for example to go to a dashboard to search for sourcetype=foo and find the props details which resides on the idxm/indexers peers. So it's really a matter of being able to read current configuration without the "hassle" of logging on and reading files not making configuration changes.
As for version control I have the data available in git but what I want it even more readily available directly in Splunk since that is the source after all. 🙂
You should just replace this
splunk_server=*
and then it sends that to all search peers.
I cannot recall what are those endpoints, but it’s something under config or configurations.
Have you seen the Admin's Little Helper app (https://splunkbase.splunk.com/app/6368). It includes a btool command that lets you see your configurations on both SH and indexers using SPL.
While many configurables can be loaded safely on either/both SH and indexer, others cannot. Inputs and outputs are good examples. Clustering settings are another.
Thanks for the reply @richgalloway.. I will have a look at the app in more detail as I have only lightly browsed it in the past. If it dosen't fill the criteria for what I'm looking for in this instance it looks to be a nice tool to have in the arsenal regardless.