Splunk Enterprise

Mirror props, transforms and indexes from indexer cluster to search head cluster

okheggdal
Explorer

I am trying to build some modular documentation as a Splunk app on a site with a indexer- and search head cluster.  Some of the reasoning behind this is that I spend quite some time researching existing configuration when I'm about to make new changes .  Thus I would like to be able to create views showing me details from props, transforms and indexes on the search heads.

My question is; do you see any potential pitfalls by having the configuration on search heads as well as the indexers?  Or, are there any other solution for being able to view configuration on the indexer peers from the search heads?

Cheers!

Labels (2)
0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

Have you seen the Admin's Little Helper app (https://splunkbase.splunk.com/app/6368).  It includes a btool command that lets you see your configurations on both SH and indexers using SPL.

While many configurables can be loaded safely on either/both SH and indexer, others cannot.  Inputs and outputs are good examples.  Clustering settings are another.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

isoutamo
SplunkTrust
SplunkTrust

Hi

You could use @richgalloway 's presented apps. I think that there was presentation about it last our previous .conf? Other option is just use REST requests to get that information what you want to show.

On Splunk Cloud you haven't rest access to indexers and otherwise it has restricted amount of endpoints in use. For that reason you cannot get all that information with this way.

IMHO: You should have all this kind of configuration in some version control system like git. Create needed Apps and TAs to store those. Maybe separate TAs based on your needs between HF/UF, Indexers and SH. Then just use any suitable methods / processes to install those into correct environment.

Try to avoid configure that kind of information via both GUI and conf files. In long run you will avoid lot of issues to use git + Apps/TAs with conf files!

r. Ismo

okheggdal
Explorer

Thanks for the reply @isoutamo.. I'll definently have a look at the .conf presentation!

With regards to asking for the details from REST I've only been able to query details from the search heads ie. 

splunk_server=local

by searching.

I'm not sure I was clear on the reason behind my question but what I'm looking for is a way to for example to go to a dashboard to search for sourcetype=foo and find the props details which resides on the idxm/indexers peers.  So it's really a matter of being able to read current configuration without the "hassle" of logging on and reading files not making configuration changes.

As for version control I have the data available in git but what I want it even more readily available directly in Splunk since that is the source after all. 🙂

0 Karma

isoutamo
SplunkTrust
SplunkTrust

You should just replace this 

splunk_server=*

and then it sends that to all search peers.

I cannot recall what are those endpoints, but it’s something under config or configurations.

richgalloway
SplunkTrust
SplunkTrust

Have you seen the Admin's Little Helper app (https://splunkbase.splunk.com/app/6368).  It includes a btool command that lets you see your configurations on both SH and indexers using SPL.

While many configurables can be loaded safely on either/both SH and indexer, others cannot.  Inputs and outputs are good examples.  Clustering settings are another.

---
If this reply helps you, Karma would be appreciated.

okheggdal
Explorer

Thanks for the reply @richgalloway.. I will have a look at the app in more detail as I have only lightly browsed it in the past.   If it dosen't fill the criteria for what I'm looking for in this instance it looks to be a nice tool to have in the arsenal regardless.

0 Karma
Get Updates on the Splunk Community!

Now Available: Cisco Talos Threat Intelligence Integrations for Splunk Security Cloud ...

At .conf24, we shared that we were in the process of integrating Cisco Talos threat intelligence into Splunk ...

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Easily Improve Agent Saturation with the Splunk Add-on for OpenTelemetry Collector

Agent Saturation What and Whys In application performance monitoring, saturation is defined as the total load ...