topic Re: When I edit inputs.conf and outputs.conf using the cli command, is there a reason why the paths to the modified file in Getting Data In

When I edit inputs.conf and outputs.conf using the cli command, is there a reason why the paths to the modified files ar

munang — Sat, 30 Dec 2023 04:14:33 GMT

If I use the command ./splunk add monitor /var/log,

-> /splunk/etc/apps/search/local/inputs.conf file will be modified.

However, if I use the command ./splunk add forward-server a.a.a.a:9997,

-> /splunk/etc/system/local/outputs.conf is modified.

Why are both the same cli tasks, but one modifies the file under the search app and the other modifies the system file?

Even considering the priority of the conf configuration file, both are GLOBAL CONTEXT, so I think they should both be placed under the System folder.

My question may be inappropriate or may have some shortcomings. I would really appreciate your advice.

Re: When I edit inputs.conf and outputs.conf using the cli command, is there a reason why the paths to the modified file

gcusello — Sat, 30 Dec 2023 07:23:50 GMT

Hi @munang,

the command is always the same (splunk) bt the action is a different action, recorded ina different conf file:

./splunk add monitor /var/log adda new input and inputs are recorded in the inputs.conf file,
./splunk add forward-server a.a.a.a:9997 ad a new destination and it's recorded in outputs.conf.

In other words, the "splunk add" command updates a conf file, but the updated conf file depends on the object to update (inputs, outputs and so on).

I hope to be sufficiently clear.

Anyway, instead of using CLI commands, that writes updated in the $SPLUNK_HOME/etc/system/local folder, make your updates directly in the conf files in dedicated apps in $SPLUNK_HOME/etc/apps/<your_app>/local, so you can manage them using the Deployment Server (DS cannot manage conf files in $SPLUNK_HOME/etc/system/local).

Ciao.

Giuseppe

Re: When I edit inputs.conf and outputs.conf using the cli command, is there a reason why the paths to the modified file

munang — Sat, 30 Dec 2023 12:07:32 GMT

@gcusello

Hello. Thank you very much for your kind reply.

May I ask one more question?

I understood what you were saying to mean that it is more appropriate to directly update the .conf file under $SPLUNK_HOME/etc/apps/<your_app>/local and manage it as a distribution server rather than using the add command.

Is there a reason why you don't recommend writing to the $SPLUNK_HOME/etc/system/local folder?

Re: When I edit inputs.conf and outputs.conf using the cli command, is there a reason why the paths to the modified file

isoutamo — Sat, 30 Dec 2023 12:44:16 GMT

I don’t know why those inputs and outputs conf are placed to different places with same splunk cli command. Maybe someone from splunk dev can tell that.
It’s a best practice to use/create your own apps to collect configurations of one app/issue to one place. Then you could/should put it into git and get version control on place. You could also utilize deployment server/manager node/deployer tp distribute it to correct places. You cannot use those tools with files under etc/system/local.

r. Ismo

Re: When I edit inputs.conf and outputs.conf using the cli command, is there a reason why the paths to the modified file

gcusello — Sun, 31 Dec 2023 09:01:28 GMT

Hi @munang ,

as I said, the best approach is to manage all Forwarders (Universal and Heavy) using the Deployment Server.

It's a best practive to manage with the DS all the inputs (in apps), but also other configurations as outputs.conf (addressing the Indexers) or deploymentclient.conf (addressing the Deployment Server).

The problem is that DS can mange only conf files in the $SPLUNK_HOME/etc/apps folder, so it cannot manage conf files in $SPLUNK_HOME/etc/system/local.

It's important to manage all Forwarders using the DS especially when you have very many of them, and all configurations: e.g. if you have to add an Indexer or change the DS: if you have these conf files in a custom app, you can easily change them by the DS, if instead they are in $SPLUNK_HOME/etc/system/local, you have to manualy update them.

I usually create a custom app (called e.g. TA_Forwarders) containing three conf files:

app.conf: describing the name and the purpose of the app,
outputs.conf: addressing the Indexers,
deploymentclient.conf: addressin g the Deployment Server.

Ciao.

Giuseppe