How does the deployment server know when an app that it manages has been updated and should be sent to clients? Does it use file timestamps, checksums, or some other magic? Also, after making an update, is there a major difference between running 'splunk restart' versus 'splunk reload deploy-server'?
It basically does fschange:// on the directory containing deployment server files.
You can see results of this in the _audit index, look for any actions with the /deployment-server/ in path, i.e.:
index=_audit path="*deployment-apps*"
You will see all file modifications that Splunk detected. Once a file in an app has been modified, Splunk calculates checksum of the whole directory. This checksum is given to agents when they download the app initially. Upon checking if something changed, the agents compare the current checksum they have with the one supplied by the server, if it doesn't match the application is downloaded and installed.
It basically does fschange:// on the directory containing deployment server files.
You can see results of this in the _audit index, look for any actions with the /deployment-server/ in path, i.e.:
index=_audit path="*deployment-apps*"
You will see all file modifications that Splunk detected. Once a file in an app has been modified, Splunk calculates checksum of the whole directory. This checksum is given to agents when they download the app initially. Upon checking if something changed, the agents compare the current checksum they have with the one supplied by the server, if it doesn't match the application is downloaded and installed.
From http://docs.splunk.com/Documentation/Splunk/latest/Deploy/Aboutdeploymentserver
Communication between deployment
server and clients The deployment
client periodically polls the
deployment server, identifying itself.
The deployment server then reviews the
information in its configuration to
find out if there is something new or
updated to push out to that particular
client. If there is new content to
deploy to a given deployment client,
the deployment server tells the client
exactly what it should retrieve. The
deployment client then retrieves the
new content and treats it according to
the instructions specified for the
server class it belongs to--maybe it
should restart, run a script, or just
wait until someone tells it to do
something else.
As far as the "splunk restart" vs "splunk reload deploy-server" is concerned, running the first restarts the whole agent, meaning if you run the web interface, it will also shut down, running just the latter will only reload the deployment configurations.
Remember to mark as answered if I have answered your questions. Thanks!
Unfortunately that is the extent of my knowledge and what I could find. You could pose this question to support if you don't get an answer here though.
"The deployment server then reviews the information in its configuration to find out if there is something new or updated to push out to that particular client." - How does it do this review? I am looking for info on what's going on under the hood.