Deployment Architecture

Deployment app vanished

Branden
Builder

I am having an issue with the deployment server and I'm not sure what to make of this.

I recently learned about the deployment server and have been using it successfully for a couple weeks now. I have about five apps that are deployed across various AIX hosts.

This morning I created a new app named "echk". I deployed the app and it was deployed to the LightForwarder hosts as normal. Then about two minutes later the app vanished from each of the hosts. Poof! I tried to redeploy it but it doesn't appear to work.

I know it worked for those two minutes because the data was indexed.

I tried moving the app out of /splunk/etc/deployment-apps, then moving it back in. (Bouncing everything in between). It still won't re-deploy.

I don't see anything peculiar in the splunk logs on the indexer. In the forwarder logs I see this: 08-20-2010 09:54:00.422 WARN DeployedApplication - Uninstalling application: echk 08-20-2010 09:54:00.423 WARN DeployedApplication - Removing app at location: /splunk/etc/apps/echk

All other apps are fine. My serverclass.conf has not changed.

Has anyone seen behavior like this before?? How do I begin to resolve this??

0 Karma

Branden
Builder

I'm using 4.1.4. I restart Splunk after making any changes to the serverclass.conf file. I think I figured out the problem. lephino's question below prompted me to review my serverclass.conf file (again). Turns out I skipped a number. Apparently, that made a difference. Here's what happened:
whitelist.0=hosta
whitelist.1=hostb
whitelist.2=hostc
whitelist.4=hostd

whitelist.3 was missing. I re-numbered them and it fixed the problem. I'm surprised that was the issue...

0 Karma

bbingham
Builder

Can you post your serverclass.conf? This seems like you have a whitelist/blacklist issue.

Branden
Builder

I would prefer not to post my serverclass.conf file as it reveals host names; our security team would be very cross if I did that. However, upon seeing your request, I triple-checked my serverclass.conf file and noticed an error. I described it in my comment above.
Thanks!

0 Karma

bwooden
Splunk Employee
Splunk Employee

What version of Splunk are you using?

0 Karma

bwooden
Splunk Employee
Splunk Employee

How are you mapping hosts in serverclass.conf? When you update serverclass.conf you do have to restart splunk but if you're only modifying files in $SPLUNK_HOME/etc/deployment-apps you can run a '$SPLUNK_HOME/bin/splunk reload deploy-server'

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...