Good afternoon, I'm a regular reader, but this is my first time writing, so I'll introduce myself. I'm Luis and work with Splunk. The searches, alerts and that kind of things do not give me problems and usually everything works out fine. Although there are things that are very confusing to me. When I started with only one instance in my PC to learn, everything was wonderful. However, with my client's Splunk, things change because it is multi-instance. We have 1 Search Head, 1 Deployment Server-Master Cluster, 1 UF, 1 HF and a cluster with two indexers. My doubt comes for the following reason: What would be the right way to deploy an app or a configuration? Since we have so many instances and the files are duplicated and tripled in some cases, it seems to me a mess to know which one commands over others, which tasks to do in the graphical environment, which ones through configuration files, when to restart or not... To top it all, now I fail to apply the bundle actions after trying to deploy an application that reads from an API. Would someone please explain the hierarchy to me so I can understand which files "command" over others? How could I solve the problem of bundle actions if the results don't describe what happens? Should I copy by hand each of the files and replicate them in the other instances? In which cases? For a custom app to work properly, do I need to copy it to the Search Head, HF and DS-MC? Excuse the pile of questions but I have already tried by my own means and I can't understand it. Thank you very much.
... View more