Community:Making the deployment server work

From Splunk Wiki

Jump to: navigation, search

Quick example of the steps needed to get the deployment server to work after a 3.x to 4.x upgrade. In this case the deployment server is deploying a set of saved searches to a target indexer.

1) In the 3.x $SPLUNK_HOME/etc/system/local/savedsearch.conf file to be migrated, change all instances of "::" with "=".

For example: sourcetype::access becomes sourcetype=access

2) On the deployment server create an app directory under $SPLUNK_HOME/etc/deployment-apps to hold the modified savedsearches.conf file.

Example: /opt/splunk/etc/deployment-apps/someAppName/

(The equivalent directory in 3.x would have been $SPLUNK_HOME/etc/modules/distributedDeployment/classes/<someClassName>.)

3) Under the someAppName directory create two sub directories:

/opt/splunk/etc/deployment-app/someAppName/default

/opt/splunk/etc/deployment-app/someAppName/metadata


4) Create an app.conf in the default subdirectory and add the following:

[ui]

is_visible = true

is_manageable = true

label = someAppName searches

[launcher]

author=someName

description=Production Searches

version=1.0

5) Place the modified savedsearches.conf from step #1 in the default subdirectory.

6) Create a default.meta file in the metadata subdirectory and add the following lines to setup the global permissions.

[savedsearches]

access = read : [*], write : [ admin ]

export = system

7) On the deployment server create a $SPLUNK_HOME/etc/system/local/serverclass.conf and add the following:

[global]

whitelist.0=*

[serverClass:indexers]

whitelist.0=<target IP address>

[serverClass:indexers:app:someAppName]

stateOnClient=enabled

restartSplunkd=true

These permissions provide standard users with read access and admins with the ability to edit.

8) On the splunk host to receive the app, create $SPLUNK_HOME/etc/system/local/deploymentclient.conf and add the following:

[deploymentClient]

phoneHomeIntervalInSecs = 30

[target-broker:deploymentServer]

targetUri= <deployment server IP address>:8089

9)Reload the deployment server - /opt/splunk/bin/splunk reload deploy-server

The app will be pushed to the deployment client as a bundle file located in /opt/splunk/var/run/<appdir>/*.bundle. After the bundle file is downloaded the deployment client will unpack the app and create the required directory structure under /opt/splunk/etc/apps/<appname>.

At this point the saved searches should be visible in the UI on the deployment client.

--Briang67 14:31, 23 December 2009 (PST)

Personal tools
Hot Wiki Topics


About Splunk >
  • Search and navigate IT data from applications, servers and network devices in real-time.
  • Download Splunk