I am facing a strange issue while working on custom app in Splunk together with a couple more fellow developers. We are using GIT as our app/code repository and in the world of Splunk the majority of the content there is taken by *.conf files, e.g. savedsearches.conf and macros.conf.
Initially we were doing just fine with developing in parallel, but recently we found out that when doing changes through the GUI of Splunk, e.g. when changing the SPL of a saved search, the stanza for that saved search ends up being moved at the end of the savedsearches.conf file. This happens every time something is changed and it causes a lot of complex merge conflicts in our repo.
Is there a way to tell Splunk NOT to move latest updates at the end of the *.conf file OR is there a solution within GIT to handle these merge conflicts better?
Thank you in advance!
This is expected behavior for Splunk to append the updated saved search to the end and I am not aware of any settings to make the changes in place.
Of course, there are things you can do in your GIT* CICD pipeline to reassemble
savedsaerches.conf file with all blocks in the desired order, such as calling the REST API endpoint
to get individual searches and then put them together using a template, and use a script to check in/out the file from GIT.
Sorry somehow the links got lost
Basically the idea is create a template in CICD and pull together the aggregated
savedsearches.conf file on the fly to have control over the file instead of relying on the edited version from Splunk or noodling with GIT merges.