Splunk Search

deploy and configure apps to a cluster with heavy forwarders

sam1010
Explorer

Can anyone tell me the steps to deploy and configure multiple apps in a cluster with heavy forwarders. 

Labels (1)
0 Karma
1 Solution

gcusello
SplunkTrust
SplunkTrust

Hi @sam1010,

as @manjunathmeti said, on a Search Hards Cluster you can use only Deployer to deploy apps.

The steps to follow are at https://docs.splunk.com/Documentation/Splunk/8.2.1/DistSearch/PropagateSHCconfigurationchanges

in few words:

  • copy your unzipepd apps on Deployer $SPLUNK_HOME/etc/shcluste/apps,
  • flom CLI, run the command 
splunk apply shcluster-bundle -target <URI>:<management_port> -auth <username>:<password>
  • beware: if your apps are already installed on the SHC, the above command overrides lookups, if you don't want to override lookups, you have to use:
splunk apply shcluster-bundle -target <URI>:<management_port> -preserve-lookups true -auth <username>:<password>

 

On Heavy Forwarders, as @manjunathmeti said, you can use the Deployment Server.

The steps are described at https://docs.splunk.com/Documentation/Splunk/8.2.1/Updating/Updateconfigurations

in few words:

  • copy your unzipped apps at $SPLUNK_HOME/etc/deployment-apps
  • wait few minutes or run
splunk reload deploy-server

Only one attention point: if you have two or more HF to take syslogs with a front Load Balancer, in this way there could be the risk that both the HFs restart at the same time, so you lose syslogs, in this case I hint to manually install apps one HF after the other.

Ciao.

Giuseppe

View solution in original post

gcusello
SplunkTrust
SplunkTrust

Hi @sam1010,

as @manjunathmeti said, on a Search Hards Cluster you can use only Deployer to deploy apps.

The steps to follow are at https://docs.splunk.com/Documentation/Splunk/8.2.1/DistSearch/PropagateSHCconfigurationchanges

in few words:

  • copy your unzipepd apps on Deployer $SPLUNK_HOME/etc/shcluste/apps,
  • flom CLI, run the command 
splunk apply shcluster-bundle -target <URI>:<management_port> -auth <username>:<password>
  • beware: if your apps are already installed on the SHC, the above command overrides lookups, if you don't want to override lookups, you have to use:
splunk apply shcluster-bundle -target <URI>:<management_port> -preserve-lookups true -auth <username>:<password>

 

On Heavy Forwarders, as @manjunathmeti said, you can use the Deployment Server.

The steps are described at https://docs.splunk.com/Documentation/Splunk/8.2.1/Updating/Updateconfigurations

in few words:

  • copy your unzipped apps at $SPLUNK_HOME/etc/deployment-apps
  • wait few minutes or run
splunk reload deploy-server

Only one attention point: if you have two or more HF to take syslogs with a front Load Balancer, in this way there could be the risk that both the HFs restart at the same time, so you lose syslogs, in this case I hint to manually install apps one HF after the other.

Ciao.

Giuseppe

sam1010
Explorer

@gcusello  Thanks for the solution and providing relevant documentation. Is there any documentation for @manjunathmeti 's answers 2nd step as well? i.e. " 2. Deploy indexer apps from Cluster Master server to Indexer Servers/Peers in the cluster." In other words how do I carry out this step about deploying apps in indexer?

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @sam1010,

Google is your best friend for searching documentation, anyway, you can find the documentation about Indexers Cluster  at https://docs.splunk.com/Documentation/Splunk/8.2.1/Indexer/Manageappdeployment and at https://docs.splunk.com/Documentation/Splunk/8.2.1/Indexer/Updatepeerconfigurations 

In few words, you have to:

  • by CLI copy your unzipped apps in $SPLUNK_HOME/etc/master-apps,
  • by GUI push the configurations.

Ciao and happy splunking.

Giuseppe

0 Karma

manjunathmeti
SplunkTrust
SplunkTrust

To deploy indexer apps from cluster master:

  • copy your unzipped apps on cluster master $SPLUNK_HOME/etc/master-apps
  • from CLI, run the command 
/opt/splunk/bin/splunk apply cluster-bundle --answer-yes -auth <username>:<password>

 

Once the latest bundle is deployed, apps will be stored in $SPLUNK_HOME/etc/slave-apps on indexer servers.

0 Karma

manjunathmeti
SplunkTrust
SplunkTrust

1. Deploy search head apps from the Deployer server to Search Heads in the cluster.

2. Deploy indexer apps from Cluster Master server to Indexer Servers/Peers in the cluster.

3. Deploy heavy forwarder apps from Deployment server to Heavy Forwarders.

Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...