Deployment Architecture

How do I get a script pushed to all forwarders via deployment server?

robp
Engager

I have 200+ light forwarders. I use deployment servers to manage their configuration. Can I use the deployment server to push bash script that needs to be located in $SPLUNK_HOME/etc/system/bin to each system?

Tags (2)

Lowell
Super Champion

You may be able to leverage something from a script posted here:

It's a hackish approach, but it can work. It does demonstrate the "run-once" principle, but it would be slightly different (probably simpler) in your case.

oreoshake
Communicator

Not that this is a good idea...but couldn't you push a script to etc/apps/APP/bin that copies itself or another file to etc/system/bin? Just have it run once, then remove it. I've thought about using this strategy to push things to dirs outside of etc/apps but I haven't found a NEED to do so. This is a potentially damaging scenario.

gkanapathy
Splunk Employee
Splunk Employee

No. However, you can use it to push to any $SPLUNK_HOME/etc/apps/MYAPP/bin folder. I can't think of anything that must reside in etc/system/bin that can not also work if it is located in an app's bin folder, so this might be a solution for you.

gkanapathy
Splunk Employee
Splunk Employee

That is incorrect. Scripts can be called from etc/apps/MYAPP/bin/. They can be called from their own app, or globally if they are exported correctly in the metadata/local.meta file.

0 Karma

robp
Engager

My understanding of scripts is that they MUST be resident within the /etc/system/bin folder or they won't be called. Ideally, I could just call files on the filesystem. What I don't want to do is have the deployment server wipe-out the /bin directory with what the deployment server pushes out. I'm hoping to merge deployment server data with that directory, or have Splunk change the Script rules.

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...