Splunk Deployer Push Modes and How to Use Them Properly
By: Karl Cepull | Senior Director, Operational Intelligence
What is Deployer Push Mode?
A Splunk Deployer is used to send apps and configuration files to search head cluster members. Deployer push mode determines where the Splunk deployer pushes configuration bundles to in search head cluster members. As apps are pushed to any Splunk server, the location of the .conf files determines where they fall in the order of precedence loaded into Splunk. To review, configurations located in the local folder of an app outweigh the same configuration in the default folder. By default, the deployer uses “merge_to_default” as the mode. This means all configurations are pushed into the default folder. Existing local configurations will overwrite the same configurations in the default folder. The push mode applies to app directories, not user directories. Splunk deployer consists of four push modes: Full, Local_only, default_only, and merge_to_default.
| Mode | Description |
| Full (full) | – This mode is used to push both /local/ and /default/ app directories to members. – Do not use full mode for Splunk built-in apps – Use this mode if you want to migrate apps from a single search head to a new search head cluster. – This mode is used if you have a configuration on the deployer’s app’s /local directory you want to push to the members and have it deleted from the deployer. |
| Local Only (local_only) | – This mode is used to push /local/ app directories to members and merges it to exists files/directories. – This mode is used to modify only those apps that already exist on the members. – This mode is to modify configuration for a built-in app in the /local directory, such as the search app |
| Default Only (default_only) | – This mode is used to push /default/ and non /local/ app directories to the members. – Use this mode if you prevent apps /local directory in the members from receiving configuration changes during a deployer push |
| Merge to Default (merge_to_default) | – This mode is used to push all files from apps /local/ directory to corresponding apps in /default/ directory and also merges /default/ files to /default/ directories in each member. – This mode is used if you have a configuration in the deployer’s apps /local that needs to be pushed to the members and deleted from the deployer. |
Set the Deployer Push Mode
You can set the deployer mode to be global or app-specific. App-specific settings take precedence over global settings. Set the push mode globally if you want to have one global policy standard. Set the push mode to be app-specific if you want to target a particular app.
Set the deployer push mode to be global or app-specific by configuring deployer_push_mode under the [shclustering] stanza in app.conf. App-specific settings take precedence over global settings.
Example 1 (Global setting)
$SPLUNK_HOME/etc/system/local/app.conf
[shclustering]
deployer_push_mode = full
Example 2 (App-specific setting)
$SPLUNK_HOME/etc/apps//local/app.conf
[shclustering]
deployer_push_mode = default_only
Contact us for more help on Splunk Deployer Push Modes!