Splunk Dev

Replicate modular alert HTML across SHC members?

annmarienorcros
Loves-to-Learn Everything

I am trying to get our Add-on that was developed for standalone Splunk to work in a SHC environment.

The Add-on takes input from the user in a setup view and saves the configuration values via custom endpoint using the Splunk JS SDK. When Set up is run on a standalone instance we get custom fields from the system we are connecting to and create the modular alert html using the custom REST endpoint (also stored in /data/ui/alert/sa_myapp.html). Is there a way to replicate the modular alert html across the search had cluster members if running Setup from the Deployer? As far as I can tell the Setup needs to be run on each search head member to generate the html for that node and this conflicts with SHC best practices with Setup run only on the deployer and pushing the conf files to the SHC members.

Setup may need to be rerun for the Add-on if custom fields are added or deleted in the system we are connecting to, to change the html used for mapping the fields between Splunk and our system. Is there a solution so that Setup can only be run on the deployer? How can I replicate the html across the cluster members?

In my investigation the file /data/ui/alert/sa_myapp.html is not replicated across the search heads. If Setup is run on each search head cluster member the html is generated. It is my understanding that Setup should not be run on the SHC members but only on the deployer.  Can Setup run on the deployer post to the custom endpoint on each SHC member?

Labels (4)
0 Karma
Get Updates on the Splunk Community!

.conf25 Registration is OPEN!

Ready. Set. Splunk! Your favorite Splunk user event is back and better than ever. Get ready for more technical ...

Detecting Cross-Channel Fraud with Splunk

This article is the final installment in our three-part series exploring fraud detection techniques using ...

Splunk at Cisco Live 2025: Learning, Innovation, and a Little Bit of Mr. Brightside

Pack your bags (and maybe your dancing shoes)—Cisco Live is heading to San Diego, June 8–12, 2025, and Splunk ...