Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

deploy and configure apps to a cluster with heavy forwarders

sam1010
Explorer
‎08-08-2021 10:37 PM

Can anyone tell me the steps to deploy and configure multiple apps in a cluster with heavy forwarders. 

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎08-09-2021 12:45 AM

Hi @sam1010,

as @manjunathmeti said, on a Search Hards Cluster you can use only Deployer to deploy apps.

The steps to follow are at https://docs.splunk.com/Documentation/Splunk/8.2.1/DistSearch/PropagateSHCconfigurationchanges

in few words:

  • copy your unzipepd apps on Deployer $SPLUNK_HOME/etc/shcluste/apps,
  • flom CLI, run the command 
splunk apply shcluster-bundle -target <URI>:<management_port> -auth <username>:<password>
  • beware: if your apps are already installed on the SHC, the above command overrides lookups, if you don't want to override lookups, you have to use:
splunk apply shcluster-bundle -target <URI>:<management_port> -preserve-lookups true -auth <username>:<password>

 

On Heavy Forwarders, as @manjunathmeti said, you can use the Deployment Server.

The steps are described at https://docs.splunk.com/Documentation/Splunk/8.2.1/Updating/Updateconfigurations

in few words:

  • copy your unzipped apps at $SPLUNK_HOME/etc/deployment-apps
  • wait few minutes or run
splunk reload deploy-server

Only one attention point: if you have two or more HF to take syslogs with a front Load Balancer, in this way there could be the risk that both the HFs restart at the same time, so you lose syslogs, in this case I hint to manually install apps one HF after the other.

Ciao.

Giuseppe

View solution in original post

Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎08-09-2021 12:45 AM

Hi @sam1010,

as @manjunathmeti said, on a Search Hards Cluster you can use only Deployer to deploy apps.

The steps to follow are at https://docs.splunk.com/Documentation/Splunk/8.2.1/DistSearch/PropagateSHCconfigurationchanges

in few words:

  • copy your unzipepd apps on Deployer $SPLUNK_HOME/etc/shcluste/apps,
  • flom CLI, run the command 
splunk apply shcluster-bundle -target <URI>:<management_port> -auth <username>:<password>
  • beware: if your apps are already installed on the SHC, the above command overrides lookups, if you don't want to override lookups, you have to use:
splunk apply shcluster-bundle -target <URI>:<management_port> -preserve-lookups true -auth <username>:<password>

 

On Heavy Forwarders, as @manjunathmeti said, you can use the Deployment Server.

The steps are described at https://docs.splunk.com/Documentation/Splunk/8.2.1/Updating/Updateconfigurations

in few words:

  • copy your unzipped apps at $SPLUNK_HOME/etc/deployment-apps
  • wait few minutes or run
splunk reload deploy-server

Only one attention point: if you have two or more HF to take syslogs with a front Load Balancer, in this way there could be the risk that both the HFs restart at the same time, so you lose syslogs, in this case I hint to manually install apps one HF after the other.

Ciao.

Giuseppe

Reply
Solved! Jump to solution

sam1010
Explorer
‎08-09-2021 11:47 AM

@gcusello  Thanks for the solution and providing relevant documentation. Is there any documentation for @manjunathmeti 's answers 2nd step as well? i.e. " 2. Deploy indexer apps from Cluster Master server to Indexer Servers/Peers in the cluster." In other words how do I carry out this step about deploying apps in indexer?

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎08-10-2021 12:31 AM

Hi @sam1010,

Google is your best friend for searching documentation, anyway, you can find the documentation about Indexers Cluster  at https://docs.splunk.com/Documentation/Splunk/8.2.1/Indexer/Manageappdeployment and at https://docs.splunk.com/Documentation/Splunk/8.2.1/Indexer/Updatepeerconfigurations 

In few words, you have to:

  • by CLI copy your unzipped apps in $SPLUNK_HOME/etc/master-apps,
  • by GUI push the configurations.

Ciao and happy splunking.

Giuseppe

0 Karma
Reply
Solved! Jump to solution

manjunathmeti
Champion
‎08-09-2021 07:01 PM

To deploy indexer apps from cluster master:

  • copy your unzipped apps on cluster master $SPLUNK_HOME/etc/master-apps
  • from CLI, run the command 
/opt/splunk/bin/splunk apply cluster-bundle --answer-yes -auth <username>:<password>

 

Once the latest bundle is deployed, apps will be stored in $SPLUNK_HOME/etc/slave-apps on indexer servers.

0 Karma
Reply
Solved! Jump to solution

manjunathmeti
Champion
‎08-09-2021 12:21 AM

1. Deploy search head apps from the Deployer server to Search Heads in the cluster.

2. Deploy indexer apps from Cluster Master server to Indexer Servers/Peers in the cluster.

3. Deploy heavy forwarder apps from Deployment server to Heavy Forwarders.

Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Splunkbase Unveils New App Listing Management Public Preview

Splunkbase Unveils New App Listing Management Public PreviewWe're thrilled to announce the public preview of ...

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Boston may be buzzing this September with Splunk University and .conf25, but you don’t have to pack a bag to ...