Archive
Highlighted

splunk conf file updates

Path Finder

Hi all,

I am facing a strange issue while working on custom app in Splunk together with a couple more fellow developers. We are using GIT as our app/code repository and in the world of Splunk the majority of the content there is taken by *.conf files, e.g. savedsearches.conf and macros.conf.

Initially we were doing just fine with developing in parallel, but recently we found out that when doing changes through the GUI of Splunk, e.g. when changing the SPL of a saved search, the stanza for that saved search ends up being moved at the end of the savedsearches.conf file. This happens every time something is changed and it causes a lot of complex merge conflicts in our repo.

Is there a way to tell Splunk NOT to move latest updates at the end of the *.conf file OR is there a solution within GIT to handle these merge conflicts better?

Thank you in advance!

0 Karma
Highlighted

Re: splunk conf file updates

Communicator

This is expected behavior for Splunk to append the updated saved search to the end and I am not aware of any settings to make the changes in place.

Of course, there are things you can do in your GIT* CICD pipeline to reassemble savedsaerches.conf file with all blocks in the desired order, such as calling the REST API endpoint

link text

to get individual searches and then put them together using a template, and use a script to check in/out the file from GIT.

HTH

Highlighted

Re: splunk conf file updates

Path Finder

thanks @tauliang but the link text is missing?

0 Karma
Highlighted

Re: splunk conf file updates

Communicator

Sorry somehow the links got lost

Basically the idea is create a template in CICD and pull together the aggregated savedsearches.conf file on the fly to have control over the file instead of relying on the edited version from Splunk or noodling with GIT merges.

0 Karma
Highlighted

Re: splunk conf file updates

Path Finder

Thanks!

I've found the KSconfig tool: https://splunkbase.splunk.com/app/4383/#/details
It seems that it will help me alleviate the issue easily.

0 Karma
Highlighted

Re: splunk conf file updates

Communicator

Cool! Good find!

0 Karma