Splunk Enterprise
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

An app with deployer_push_mode = local_only overrides default\app.conf on the SHC

NoSpaces
Contributor
Tuesday

Hello everyone!
This is not a significant issue, but sometimes I observe a somewhat strange behavior after pushing a configuration bundle from the deployer.
I have numerous default apps containing an app.conf file under the local directory with the content below:

"C:\Program Files\Splunk\etc\shcluster\apps\search\local\app.conf"
>
[shclustering]
deployer_push_mode = local_only

 
To push a bundle I use this command:

splunk apply shcluster-bundle -target $host -auth $authString -push-default-apps yes --answer-yes

 

After successfully pushing the bundle, I sometimes observe the warning below on a random search head:

File Integrity checks found 4 files that did not match the system-provided manifest.

And it's always app.conf for example: 'C:\Program Files\Splunk\etc\apps\search\default\app.conf'


Is there a way to fix this? Or maybe I'm doing something wrong?
Am I wrong to expect that 'local_only' mode never touches the 'default' directory on the target host?

 

Labels (1)
Labels
0 Karma
Reply

kiran_panchavat
Influencer
Tuesday

@NoSpaces 

In general, there are four modes of deployer_push_mode:


- full

- merge_to_default

- local_only

- default_only

By default merge_to_default setting is enabled.

- If set to "full": Bundles all of the app's contents located in default/, local/, users/<app>/, and other app subdirs. It then pushes the bundle to the members. When applying the bundle on a member, the non-local and non-user configurations from the deployer's app folder are copied to the member's app folder, overwriting existing contents. Local and user configurations are merged with the corresponding folders on the member, such that member configuration takes precedence. This option should not be used for built-in apps, as overwriting the member's built-in apps can result in adverse behavior.

- If set to "merge_to_default": Merges the local and default folders into the default folder and pushes the merged app to the members. When applying the bundle on a member, the default configuration on the member is overwritten. User configurations are copied and merged with the user folder on the member, such that the existing configuration on the member takes precedence.

- * If set to "local_only": This option bundles the app's local directory (and its metadata) and pushes it to the cluster. When applying the bundle to a member, the local configuration from the deployer is merged with the local configuration on the member, such that the member's existing configuration takes precedence. Use this option to push the local configuration of built-in apps, such as search. If used to push an app that relies on non-local content (such as default/ or bin/), these contents must already exist on the member.

- If set to "local_only": This option bundles the app's local directory (and its metadata) and pushes it to the cluster. When applying the bundle to a member, the local configuration from the deployer is merged with the local configuration on the member, such that the member's existing configuration takes precedence. Use this option to push the local configuration of built-in apps, such as search. If used to push an app that relies on non-local content (such as default/ or bin/), these contents must already exist on the member.

Based on your requirement you can change the deployer_push_mode.

It is highly advisable to review the document below to gain a clear understanding of the behavior before implementing any changes.

https://docs.splunk.com/Documentation/Splunk/9.3.1/DistSearch/PropagateSHCconfigurationchanges#Choos... 

 

Did this help? If yes, please consider giving kudos, marking it as the solution, or commenting for clarification — your feedback keeps the community going!
0 Karma
Reply

NoSpaces
Contributor
Tuesday

It seems that you misunderstood my question a bit.
Every app has a deployer_push_mode setting,
and as I said, the affected apps use deployer_push_mode = local_only.

0 Karma
Reply

livehybrid
Super Champion
Tuesday

Hi @NoSpaces 

This is odd behaviour - as you say you would not expect any changes to the default app.conf when using local_only. 

Do you notice anything change in the search/default/app.conf compared to what it should be out of the box?

I would suggest contacting Splunk Support about this and get it raised as a bug - or perhaps they can give additional insight into this!

🌟 Did this answer help you? If so, please consider:

  • Adding karma to show it was useful
  • Marking it as the solution if it resolved your issue
  • Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

0 Karma
Reply

NoSpaces
Contributor
yesterday

The edited app.conf has additional line indicating the fact that app was configured:

[install]
is_configured = true
state = enabled
allows_disable = false
install_source_checksum = <checksum>

 

 

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk App Dev Community Updates – What’s New and What’s Next

Welcome to your go-to roundup of everything happening in the Splunk App Dev Community! Whether you're building ...

The Latest Cisco Integrations With Splunk Platform!

Join us for an exciting tech talk where we’ll explore the latest integrations in Cisco &#43; Splunk! We’ve ...

Enterprise Security Content Update (ESCU) | New Releases

In April, the Splunk Threat Research Team had 2 releases of new security content via the Enterprise Security ...
OSZAR »