- Find Answers
- :
- Splunk Administration
- :
- Deployment Architecture
- :
- Custom Deployment Serverclass:app
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi All,
I had 2 serverclasses (servers and workstations) and I wanted to add a custom config for the Splunk_TA(technology add-on)_windows app on the DomainControllers so have created a DCs serverclass along with a Splunk_TA_windows app configuration in serverclass.conf as follows:
[serverClass:Servers:app:Splunk_TA_windows]
restartSplunkWeb = 0
restartSplunkd = 1
stateOnClient = enabled
[serverClass:DomainControllers:app:Splunk_TA_windows]
restartSplunkWeb = 0
restartSplunkd = 1
stateOnClient = enabled
repositoryLocation = /opt/splunk/etc/deployment-apps/dcs/Splunk_TA_windows
I have removed the whitelist/blacklists from the above snippet. This is deploying the Splunk_TA_windows app configuration from the standard deployment-apps directory to the domain controllers as opposed to the config located in the defined repository location. The domain controllers are in the DomainControllers serverclass and the web console shows that they have Splunk_TA_windows deployed to them after my config changes.
Do I need to provide a unique name for the app?
Also, for some reason I have my deployment config for servers and workstations split across 2 files despite configuring them both in the web console:
Servers: /opt/splunk/etc/apps/search/local/serverclass.conf
Workstations: /opt/splunk/etc/system/local/serverclass.conf
I have been reloading the deployment server after making config changes.
Any assistance on the above would be greatly appreciated!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So it looks like the multiple serverclass files is a known issue:
http://docs.splunk.com/Documentation/Splunk/7.0.1/Updating/Useserverclass.conf
The reason my above configuration was failing was because I had the Splunk_TA_windows app for the DC's inside a DC's subfolder in the deployment apps folder. I have moved it into the deployed apps folder and called it Splunk_TA_windows_dc, assigned it to the domaincontroller serverclass and it is now deploying and working as it should.
I also moved all of my config into the system/local/serverclass.conf and renamed the one under the search app directory.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So it looks like the multiple serverclass files is a known issue:
http://docs.splunk.com/Documentation/Splunk/7.0.1/Updating/Useserverclass.conf
The reason my above configuration was failing was because I had the Splunk_TA_windows app for the DC's inside a DC's subfolder in the deployment apps folder. I have moved it into the deployed apps folder and called it Splunk_TA_windows_dc, assigned it to the domaincontroller serverclass and it is now deploying and working as it should.
I also moved all of my config into the system/local/serverclass.conf and renamed the one under the search app directory.
Enterprise Security Content Update (ESCU) | New Releases
Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?
Index This | What are the 12 Days of Splunk-mas?
