All Apps and Add-ons

splunk conf file updates

vanvan
Path Finder

Hi all,

I am facing a strange issue while working on custom app in Splunk together with a couple more fellow developers. We are using GIT as our app/code repository and in the world of Splunk the majority of the content there is taken by *.conf files, e.g. savedsearches.conf and macros.conf.

Initially we were doing just fine with developing in parallel, but recently we found out that when doing changes through the GUI of Splunk, e.g. when changing the SPL of a saved search, the stanza for that saved search ends up being moved at the end of the savedsearches.conf file. This happens every time something is changed and it causes a lot of complex merge conflicts in our repo.

Is there a way to tell Splunk NOT to move latest updates at the end of the *.conf file OR is there a solution within GIT to handle these merge conflicts better?

Thank you in advance!

0 Karma

tauliang
Communicator

This is expected behavior for Splunk to append the updated saved search to the end and I am not aware of any settings to make the changes in place.

Of course, there are things you can do in your GIT* CICD pipeline to reassemble savedsaerches.conf file with all blocks in the desired order, such as calling the REST API endpoint

link text

to get individual searches and then put them together using a template, and use a script to check in/out the file from GIT.

HTH

vanvan
Path Finder

thanks @tauliang but the link text is missing?

0 Karma

tauliang
Communicator

Sorry somehow the links got lost

Basically the idea is create a template in CICD and pull together the aggregated savedsearches.conf file on the fly to have control over the file instead of relying on the edited version from Splunk or noodling with GIT merges.

0 Karma

vanvan
Path Finder

Thanks!

I've found the KSconfig tool: https://splunkbase.splunk.com/app/4383/#/details
It seems that it will help me alleviate the issue easily.

0 Karma

tauliang
Communicator

Cool! Good find!

0 Karma
Get Updates on the Splunk Community!

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...