I am having an issue with the deployment server and I'm not sure what to make of this.
I recently learned about the deployment server and have been using it successfully for a couple weeks now. I have about five apps that are deployed across various AIX hosts.
This morning I created a new app named "echk". I deployed the app and it was deployed to the LightForwarder hosts as normal. Then about two minutes later the app vanished from each of the hosts. Poof! I tried to redeploy it but it doesn't appear to work.
I know it worked for those two minutes because the data was indexed.
I tried moving the app out of /splunk/etc/deployment-apps, then moving it back in. (Bouncing everything in between). It still won't re-deploy.
I don't see anything peculiar in the splunk logs on the indexer. In the forwarder logs I see this: 08-20-2010 09:54:00.422 WARN DeployedApplication - Uninstalling application: echk 08-20-2010 09:54:00.423 WARN DeployedApplication - Removing app at location: /splunk/etc/apps/echk
All other apps are fine. My serverclass.conf has not changed.
Has anyone seen behavior like this before?? How do I begin to resolve this??
I'm using 4.1.4. I restart Splunk after making any changes to the serverclass.conf file. I think I figured out the problem. lephino's question below prompted me to review my serverclass.conf file (again). Turns out I skipped a number. Apparently, that made a difference. Here's what happened:
whitelist.0=hosta
whitelist.1=hostb
whitelist.2=hostc
whitelist.4=hostd
whitelist.3 was missing. I re-numbered them and it fixed the problem. I'm surprised that was the issue...
Can you post your serverclass.conf? This seems like you have a whitelist/blacklist issue.
I would prefer not to post my serverclass.conf file as it reveals host names; our security team would be very cross if I did that. However, upon seeing your request, I triple-checked my serverclass.conf file and noticed an error. I described it in my comment above.
Thanks!
What version of Splunk are you using?
How are you mapping hosts in serverclass.conf? When you update serverclass.conf you do have to restart splunk but if you're only modifying files in $SPLUNK_HOME/etc/deployment-apps you can run a '$SPLUNK_HOME/bin/splunk reload deploy-server'