All Apps and Add-ons

Reg: Copy of Config files from one splunk indexer to another to recovery on failOver

ReanaKhan
Explorer

Hi All,

Have been trying to do a distributed search set up basically without using shared bundle or search head pooling.

Have been looking into deployment server which seems to be configured to copy apps between indexers.

I basically want to be able to copy all files inside etc from one indexer to anotehr whenevr any changes ocuur in the configuration files there.

We also dont want to have indexer to have heavy forwarder which will only duplicate the indexed data and might have to use dedup along with search text provided.

Working with scanarios of having Load balancing and Data Cloning will also work only if the configuration files like indexes conf is available at every instance.

Here index should be available before data gets forwarder so that the access to partiular indexed data is restrcited to certain users only based on user ro role map and role to index map..

Though of using rsync but that need a restart of splunk manually /script which might affact if used in production environment.

Any help as soon as possible would be greatly appreciated.

Regards,
Rehana

0 Karma

ReanaKhan
Explorer

Hi,

We wanted this to be able to have all the configuration data during a fail over of one of the splunk indexer instances.
I know we can try search head pooling or shared bundle but, having any such place common for configuration and such configuration server going down will be probleamatic.

So looking at replicating the etc folder accross my indexers.

0 Karma

ReanaKhan
Explorer

Hi,
Could you help with example of the same where the attribute serverClass of serverclass.conf actually points to etc folder entirely as such.

0 Karma

Lamar
Splunk Employee
Splunk Employee

I'm obliged to ask this: Why would you want to copy over your entire $SPLUNK_HOME/etc directory?

First, I'll say that doing so is generally not a good idea.

If you're wanting to monitor your etc directories for changes, I would highly recommend setting up an fschange monitor inside your inputs.conf.

http://docs.splunk.com/Documentation/Splunk/4.3/Data/Monitorchangestoyourfilesystem

I realize that doesn't really give you what you asked for, but, I want to make sure we're getting down to the real issue here before any real tactical decisions are made.

0 Karma

Lamar
Splunk Employee
Splunk Employee

I would definitely take a closer look at using the Deployment Server. You'll only need one place to manage all of your configurations and the Splunk Deployment Server can also assist with restarts if they're needed.

As your implementation scales upward and outward you'll be very happy that you took the time to implement a good Deployment Server strategy.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...