Hi there
I've run into an issue where I can sort of guess why I'm having issues though have no clear idea regarding how to solve it.
In our distributed environment we have a "lookup app" in our deployer,
TA_lookups/lookups/lookupfile.csv
Recently a coworker added a few new lookup files and made additions to the file in question.
This is where the problem manifests, logging onto the deployer, checking that the correct files are present in
/opt/splunk/etc/shcluster/apps/TA_lookups/lookups/lookupfile.csv
Everything looks great. Applying the bundle worked without any complaints/errors. All the new csv files show up in the cluster and are accesible from the GUI, however.
This one file, the "lookupfile.csv" is not updated.
So I can sort of guess that it may have something to do with the file being in use or something, though I am stompt as to how I should go about solving this?
I've tried making some additional changes to the file, checked for any wierd linebraking or something, and nothing.
I can se from the CLI that this one file has not been modified since the initial deployment, so the deployer applies the bundle, there are no complaints on either end that I can find, it just skips this one pre-existing csv file completely and as far as I can see, silently.
What do I do here? Is there a way to "force" the push? Is the only way to solve this to just manually remove the app from the SH cluster an push again? All suggestions are welcome 🙂
Best regards
Never figured out the "why" part, but there is a "how" part.
Finding no explanation or solution and with no "force push" option, having exhausted all other options I ended up manually transfered the lookup files to the appropriate locations in the cluster with the correct ownership etc and it "just worked".
So "problem solved"
Never figured out the "why" part, but there is a "how" part.
Finding no explanation or solution and with no "force push" option, having exhausted all other options I ended up manually transfered the lookup files to the appropriate locations in the cluster with the correct ownership etc and it "just worked".
So "problem solved"
the deployment server to UF's app push works bit strange.
it may take, even years, to understand this DS and the apps structure. good that you are able to understand the how part.
thanks for updating your own question. maybe you can do "accept as solution" to post, thanks.
We'll it's all a bit of magic isn't it 🙂 In this case it was the seach head deployer pushing the CSV files to the seach head cluster. Though I've seen similar issues from the deployment server trying to push changes to the heavy forwarder layer.
Sure, I guess even if the cause of the issue remains clouded in mystery, the actual problem is solved and I should accept this as the solution.