Deployment Architecture

Serverclass.conf - Using the same app name under different classes and repositoryLocations now appears broken in v6.0

Lucas_K
Motivator

I've been trying to upgrade our Splunk v5.0.4 deployment server to v6.0.

It appears that our existing serverclass is now broken under v6.0

The situation is that we have a few base configurations that are pushed out to all clients and are based on their client type. forwarders, indexers, search heads, job servers and so on. These contain such things as where the deployment server is. Where to forward internal logs (very useful for sos) etc.

We used a naming standard in which they were all called the same name. ie. "sys_conf".
They used the respositoryLocation parameter per class definition (which is a still supported configuration according to current v6.0 documentation - http://docs.splunk.com/Documentation/Splunk/6.0/Admin/Serverclassconf#serverclass.conf.example ).

So an example config.

INDEXERS - ONLY indexers should get this app.
[serverClass:sys_indexer]
filterType= blacklist
blacklist.0=*
whitelist.0=idx
restartSplunkd = true
repositoryLocation = $SPLUNK_HOME/etc/deployment-apps/sys_config/indexer/
[serverClass:sys_indexer:app:sys_conf]

FORWARDERS - ONLY forwarders should get this app.
[serverClass:sys_forwarder]
filterType= blacklist
blacklist.0=*
whitelist.0=fwder
restartSplunkd = true
repositoryLocation = $SPLUNK_HOME/etc/deployment-apps/sys_config/forwarder/
[serverClass:sys_forwarder:app:sys_conf]

Each unique repository location contains a "sys_conf" system app containing unique base configurations for that platform type.

In each clients deploymentclient.conf they have their clientName set to "idx" or "fwder". Checking splunkd.log shows they the correct endpoint is called.

However on the deployment server if we check /opt/splunk/var/run/tmp/ we will find all bundles for sys_conf.xxxxx will be identical and will only contain the contents of the very first defined repository location for a that unique app name.

A splunk btool serverclass list output shows the correct order of black listing and classes.

The issue I have is that its not just for base splunk configurations we have this for but right across various apps and TA's also!

I can verify this behaviour by picking a previously broken base app and calling the app something unique.

Has this functionality of being able to use the same app name in different classes and repository locations changed in v6.0?

1 Solution

Lucas_K
Motivator

Support confirms this as a reproducible v6.0 issue so I will just have to wait on a fix.

View solution in original post

Lucas_K
Motivator

Support confirms this as a reproducible v6.0 issue so I will just have to wait on a fix.

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...