Archive

force splunk to use app props instead of /etc/system/local

Explorer

Hello, Is there a way to force splunk to use /etc/apps/app-name/local/props.conf and transforms.conf instead of /etc/system/local under a forwarder configuration for index time transformations ?

I would want to use Deployment server to control props and transforms for each app from one central place and push configs out to different forwarders.

thanks pmr

0 Karma

Splunk Employee
Splunk Employee

Unfortunately there is not, for "global" items, which includes index-time transformations. See. While search-time items like EXTRACT and REPORT and dashboards prioritize the app directories over the system, index time TRANSFORMS (among other things) prioritize system local over app local. Yes, that's right. Items in the same stanza in the same file will get prioritized differently depending what they are.

This is why as much as possible I never put configs into etc/system/local, other than possibly ones I know will only be edited directly on the machine. Even then, there's not a good reason to use etc/system/local over, (say) etc/apps/system/local or etc/apps/base_forwarder/local or etc/apps/base_indexer/local. (There were once a couple of configs that would only read out of etc/system, but I don't think such items exist in 4.1.)

About the only marginal reason is that plaintext passwords (in authentication.conf, server.conf, inputs.conf, etc.) will be hashed away if they are in etc/system/local, but if they aren't, then the hashed value gets written to etc/system/local, leaving the plaintext password in the original location; if this really bothers you, push out the conf file with the plaintext password, restart all the clients, then push out a new version of the conf file without the password specified at all.

Splunk Employee
Splunk Employee

you actually do not have to "force" splunk to do that, it does it by default. Place your configurations in your deployment-apps/appname/local, make sure that the files get transferred to the clients, and you should see all the necessary files in the /apps/appname/local/ and they should take precedence over props and transforms in other places.

It is usually recommended though that you do not use same stanza names for props/transforms in different locations as i believe the current behavior (and default) is to actually merge the attributes.

Hope this helps,
.gz

0 Karma

Splunk Employee
Splunk Employee

Sadly, it's more complicated than this. See my answer.

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!