Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

deploy and configure apps to a cluster with heavy forwarders

sam1010
Explorer
‎08-08-2021 10:37 PM

Can anyone tell me the steps to deploy and configure multiple apps in a cluster with heavy forwarders. 

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎08-09-2021 12:45 AM

Hi @sam1010,

as @manjunathmeti said, on a Search Hards Cluster you can use only Deployer to deploy apps.

The steps to follow are at https://docs.splunk.com/Documentation/Splunk/8.2.1/DistSearch/PropagateSHCconfigurationchanges

in few words:

  • copy your unzipepd apps on Deployer $SPLUNK_HOME/etc/shcluste/apps,
  • flom CLI, run the command 
splunk apply shcluster-bundle -target <URI>:<management_port> -auth <username>:<password>
  • beware: if your apps are already installed on the SHC, the above command overrides lookups, if you don't want to override lookups, you have to use:
splunk apply shcluster-bundle -target <URI>:<management_port> -preserve-lookups true -auth <username>:<password>

 

On Heavy Forwarders, as @manjunathmeti said, you can use the Deployment Server.

The steps are described at https://docs.splunk.com/Documentation/Splunk/8.2.1/Updating/Updateconfigurations

in few words:

  • copy your unzipped apps at $SPLUNK_HOME/etc/deployment-apps
  • wait few minutes or run
splunk reload deploy-server

Only one attention point: if you have two or more HF to take syslogs with a front Load Balancer, in this way there could be the risk that both the HFs restart at the same time, so you lose syslogs, in this case I hint to manually install apps one HF after the other.

Ciao.

Giuseppe

View solution in original post

Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎08-09-2021 12:45 AM

Hi @sam1010,

as @manjunathmeti said, on a Search Hards Cluster you can use only Deployer to deploy apps.

The steps to follow are at https://docs.splunk.com/Documentation/Splunk/8.2.1/DistSearch/PropagateSHCconfigurationchanges

in few words:

  • copy your unzipepd apps on Deployer $SPLUNK_HOME/etc/shcluste/apps,
  • flom CLI, run the command 
splunk apply shcluster-bundle -target <URI>:<management_port> -auth <username>:<password>
  • beware: if your apps are already installed on the SHC, the above command overrides lookups, if you don't want to override lookups, you have to use:
splunk apply shcluster-bundle -target <URI>:<management_port> -preserve-lookups true -auth <username>:<password>

 

On Heavy Forwarders, as @manjunathmeti said, you can use the Deployment Server.

The steps are described at https://docs.splunk.com/Documentation/Splunk/8.2.1/Updating/Updateconfigurations

in few words:

  • copy your unzipped apps at $SPLUNK_HOME/etc/deployment-apps
  • wait few minutes or run
splunk reload deploy-server

Only one attention point: if you have two or more HF to take syslogs with a front Load Balancer, in this way there could be the risk that both the HFs restart at the same time, so you lose syslogs, in this case I hint to manually install apps one HF after the other.

Ciao.

Giuseppe

Reply
Solved! Jump to solution

sam1010
Explorer
‎08-09-2021 11:47 AM

@gcusello  Thanks for the solution and providing relevant documentation. Is there any documentation for @manjunathmeti 's answers 2nd step as well? i.e. " 2. Deploy indexer apps from Cluster Master server to Indexer Servers/Peers in the cluster." In other words how do I carry out this step about deploying apps in indexer?

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎08-10-2021 12:31 AM

Hi @sam1010,

Google is your best friend for searching documentation, anyway, you can find the documentation about Indexers Cluster  at https://docs.splunk.com/Documentation/Splunk/8.2.1/Indexer/Manageappdeployment and at https://docs.splunk.com/Documentation/Splunk/8.2.1/Indexer/Updatepeerconfigurations 

In few words, you have to:

  • by CLI copy your unzipped apps in $SPLUNK_HOME/etc/master-apps,
  • by GUI push the configurations.

Ciao and happy splunking.

Giuseppe

0 Karma
Reply
Solved! Jump to solution

manjunathmeti
Champion
‎08-09-2021 07:01 PM

To deploy indexer apps from cluster master:

  • copy your unzipped apps on cluster master $SPLUNK_HOME/etc/master-apps
  • from CLI, run the command 
/opt/splunk/bin/splunk apply cluster-bundle --answer-yes -auth <username>:<password>

 

Once the latest bundle is deployed, apps will be stored in $SPLUNK_HOME/etc/slave-apps on indexer servers.

0 Karma
Reply
Solved! Jump to solution

manjunathmeti
Champion
‎08-09-2021 12:21 AM

1. Deploy search head apps from the Deployer server to Search Heads in the cluster.

2. Deploy indexer apps from Cluster Master server to Indexer Servers/Peers in the cluster.

3. Deploy heavy forwarder apps from Deployment server to Heavy Forwarders.

Reply
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...