Archive2

What file does Splunk store the configuration in when I use the CLI to create an input?

Builder

Generally, when I want to add a logfile monitor to a Splunk lightfowarder, I add "monitor" stanzas to the $SPLUNK_HOME/etc/system/local/inputs.conf file, then restart the lightforwarder.

Recently I wanted to add a number of new monitors using a script, so I thought it would be easiest to use the CLI command:

$SPLUNK_HOME/bin splunk add monitor logfile_path

I was surprised to see that "monitor" stanzas were not added to inputs.conf. This happens (or doesn't, as the case may be) on Linux and Windows lightforwarders. The monitor does list though when running:

$SPLUNK_HOME/bin splunk list monitor

Is this intentional? If so, why? Where does it hold it's monitor information if not in the conf file? It is a problem for me as often use the conf file as a reference for what is being monitored.

Tags (2)
1 Solution

Splunk Employee
Splunk Employee

Since 4.0, Splunk CLI commands add some configurations to the default app context, which is the search app, not the system context.

You can specify a different app in these cases with a -app myotherapp command line parameter.

Othewise, the configuration is stored in $SPLUNK_HOME/etc/apps/search/local/inputs.conf rather than $SPLUNK_HOME/etc/system/local/inputs.conf. You may wish to review the configuration file system and app system:

http://docs.splunk.com/Documentation/Splunk/5.0/Admin/Aboutconfigurationfiles

http://docs.splunk.com/Documentation/Splunk/5.0/Admin/Whatsanapp

View solution in original post

Splunk Employee
Splunk Employee

Since 4.0, Splunk CLI commands add some configurations to the default app context, which is the search app, not the system context.

You can specify a different app in these cases with a -app myotherapp command line parameter.

Othewise, the configuration is stored in $SPLUNK_HOME/etc/apps/search/local/inputs.conf rather than $SPLUNK_HOME/etc/system/local/inputs.conf. You may wish to review the configuration file system and app system:

http://docs.splunk.com/Documentation/Splunk/5.0/Admin/Aboutconfigurationfiles

http://docs.splunk.com/Documentation/Splunk/5.0/Admin/Whatsanapp

View solution in original post

Champion

You can use btool to check all instances of a configuration file and its contents. To list out the contents of all your inputs.conf files, use:

./splunk cmd btool inputs list

0 Karma
Reply