All Apps and Add-ons

Why is Forwarder Management not pushing out configuration changes?

andrei1bc
Communicator

Hi

I am using the Forwarder Management to push out configs in the form of apps to the many forwarders in our infrastructure, but the new config is not applied.

My use case :
1. add-on added in the deployment-apps folder
2. add-on pushed to forwarders in my server_class -> no errors returned
3. created new app to enable a URL monitor using the above pushed add-on
4. pushed the new URL_monitor app containing the configs to the forwarders, including a splunkd restart flag -> no errors returned
5. no events are indexed and no errors are returned although the add-on and the app is present under each forwarders app folder

Using a curl on the endpoint monitor returns the status.

Add-on name : REST API Modular Input -> https://splunkbase.splunk.com/app/1546/

URL_Monitoring app contents under local directory:

inputs.conf :

[rest://test]
source = test
auth_type = none
endpoint = http://localhost:8888/test/monitoring
http_method = GET
index = main
index_error_response_codes = 0
polling_interval = 60
request_timeout = 50
response_type = xml
sequential_mode = 0
sourcetype = url
streaming_request = 0

props.conf

[url]
category = Custom
pulldown_type = 1
disabled = false
TRANSFORMS-url = url_transformation

transforms.conf

[url_transformation]
REGEX = ^.\w+..\w+.(?<url_status>\w+).+
FORMAT = url_status::$1
WRITE_META = true

Can i please get some direction on what I am doing wrong?

Thank you in advance.

0 Karma
1 Solution

andrei1bc
Communicator

Well. Found the fix :

As the rest app was renamed inside the repository, the rest.py script must also be modified to reflect the new name .

  1. cd /splunk/etc/deployment-apps/test_rest/bin
  2. sed -i 's/rest_ta/test_rest/g' rest.py

Redeployed the addon and everything works.

View solution in original post

andrei1bc
Communicator

Well. Found the fix :

As the rest app was renamed inside the repository, the rest.py script must also be modified to reflect the new name .

  1. cd /splunk/etc/deployment-apps/test_rest/bin
  2. sed -i 's/rest_ta/test_rest/g' rest.py

Redeployed the addon and everything works.

muebel
SplunkTrust
SplunkTrust

ah yeah, that would make sense

0 Karma

muebel
SplunkTrust
SplunkTrust

Have you tested this configuration on a single instance to make sure it works as expected?

Do you see the app being loaded onto one of the new instances?

0 Karma

andrei1bc
Communicator

Forgot to mention that I am using heavy forwarders.

Using the same inputs/props/transforms and the addon on a single instance works, but in my test the files were sitting under the search app and not a new individual app.

0 Karma
Get Updates on the Splunk Community!

Improve Your Security Posture

Watch NowImprove Your Security PostureCustomers are at the center of everything we do at Splunk and security ...

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...