Splunk Search

deploy and configure apps to a cluster with heavy forwarders

sam1010
Explorer

Can anyone tell me the steps to deploy and configure multiple apps in a cluster with heavy forwarders. 

Labels (1)
0 Karma
1 Solution

gcusello
SplunkTrust
SplunkTrust

Hi @sam1010,

as @manjunathmeti said, on a Search Hards Cluster you can use only Deployer to deploy apps.

The steps to follow are at https://docs.splunk.com/Documentation/Splunk/8.2.1/DistSearch/PropagateSHCconfigurationchanges

in few words:

  • copy your unzipepd apps on Deployer $SPLUNK_HOME/etc/shcluste/apps,
  • flom CLI, run the command 
splunk apply shcluster-bundle -target <URI>:<management_port> -auth <username>:<password>
  • beware: if your apps are already installed on the SHC, the above command overrides lookups, if you don't want to override lookups, you have to use:
splunk apply shcluster-bundle -target <URI>:<management_port> -preserve-lookups true -auth <username>:<password>

 

On Heavy Forwarders, as @manjunathmeti said, you can use the Deployment Server.

The steps are described at https://docs.splunk.com/Documentation/Splunk/8.2.1/Updating/Updateconfigurations

in few words:

  • copy your unzipped apps at $SPLUNK_HOME/etc/deployment-apps
  • wait few minutes or run
splunk reload deploy-server

Only one attention point: if you have two or more HF to take syslogs with a front Load Balancer, in this way there could be the risk that both the HFs restart at the same time, so you lose syslogs, in this case I hint to manually install apps one HF after the other.

Ciao.

Giuseppe

View solution in original post

gcusello
SplunkTrust
SplunkTrust

Hi @sam1010,

as @manjunathmeti said, on a Search Hards Cluster you can use only Deployer to deploy apps.

The steps to follow are at https://docs.splunk.com/Documentation/Splunk/8.2.1/DistSearch/PropagateSHCconfigurationchanges

in few words:

  • copy your unzipepd apps on Deployer $SPLUNK_HOME/etc/shcluste/apps,
  • flom CLI, run the command 
splunk apply shcluster-bundle -target <URI>:<management_port> -auth <username>:<password>
  • beware: if your apps are already installed on the SHC, the above command overrides lookups, if you don't want to override lookups, you have to use:
splunk apply shcluster-bundle -target <URI>:<management_port> -preserve-lookups true -auth <username>:<password>

 

On Heavy Forwarders, as @manjunathmeti said, you can use the Deployment Server.

The steps are described at https://docs.splunk.com/Documentation/Splunk/8.2.1/Updating/Updateconfigurations

in few words:

  • copy your unzipped apps at $SPLUNK_HOME/etc/deployment-apps
  • wait few minutes or run
splunk reload deploy-server

Only one attention point: if you have two or more HF to take syslogs with a front Load Balancer, in this way there could be the risk that both the HFs restart at the same time, so you lose syslogs, in this case I hint to manually install apps one HF after the other.

Ciao.

Giuseppe

sam1010
Explorer

@gcusello  Thanks for the solution and providing relevant documentation. Is there any documentation for @manjunathmeti 's answers 2nd step as well? i.e. " 2. Deploy indexer apps from Cluster Master server to Indexer Servers/Peers in the cluster." In other words how do I carry out this step about deploying apps in indexer?

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @sam1010,

Google is your best friend for searching documentation, anyway, you can find the documentation about Indexers Cluster  at https://docs.splunk.com/Documentation/Splunk/8.2.1/Indexer/Manageappdeployment and at https://docs.splunk.com/Documentation/Splunk/8.2.1/Indexer/Updatepeerconfigurations 

In few words, you have to:

  • by CLI copy your unzipped apps in $SPLUNK_HOME/etc/master-apps,
  • by GUI push the configurations.

Ciao and happy splunking.

Giuseppe

0 Karma

manjunathmeti
Champion

To deploy indexer apps from cluster master:

  • copy your unzipped apps on cluster master $SPLUNK_HOME/etc/master-apps
  • from CLI, run the command 
/opt/splunk/bin/splunk apply cluster-bundle --answer-yes -auth <username>:<password>

 

Once the latest bundle is deployed, apps will be stored in $SPLUNK_HOME/etc/slave-apps on indexer servers.

0 Karma

manjunathmeti
Champion

1. Deploy search head apps from the Deployer server to Search Heads in the cluster.

2. Deploy indexer apps from Cluster Master server to Indexer Servers/Peers in the cluster.

3. Deploy heavy forwarder apps from Deployment server to Heavy Forwarders.

Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...