ES apps and add-ons from $SPLUNK_HOME/etc/apps should be copied from the staging instance to the $SPLUNK_HOME/etc/shcluster/apps location on the cluster deployer instance. This is the directory where the deployer stores the configuration bundle that it distributes to the search head cluster members. The configuration bundle consists of apps and other configuration files that are not replicated by the cluster. The deployer does not use the $SPLUNK_HOME/etc/master-apps/ directory, which is used by the master node in an indexer cluster. The deployer does not use the $SPLUNK_HOME/etc/system/local/ directory, which is used to store local configuration files for the deployer instance itself. The deployer does not use the $SPLUNK_HOME/var/run/searchpeers/ directory, which is used by the search head to store information about the indexer cluster peers. References =
Use the deployer to distribute apps and configuration updates - Splunk Documentation
Install Splunk Enterprise Security in a search head cluster environment - Splunk Documentation
Contribute your Thoughts:
Chosen Answer:
This is a voting comment (?). You can switch to a simple comment. It is better to Upvote an existing comment if you don't have anything to add.
Submit