Solved: Deployment Server over old config management

mwdbhyat · ‎10-19-2020

Hi there,

What is the best way to approach attaching a DS to an environment that is already in place and scattered with apps? In terms of inputs/outputs etc.

EG there were inputs.conf in random apps on forwarders. These are still there forwarding. However when I connect the new DS to these, inputs.conf will be in new <appname>/appstructure. So it would be deployed alongside the current inputs.conf, rather than overwrite whats there - would this mean that the files being monitored would be ingested twice? How do i go about removing the old config and using the new without either duplicating or having data gaps?

My plan for all other apps including outputs.conf will be to deploy those first, then remove anything from the "old" config manually. As the DS previously didnt manage these old dodgy apps, it will not autoremove them. This is what made me curious about there being duplicate data as mentioned above.

What are your thoughts on this ?

Thanks!

richgalloway · ‎10-19-2020

Splunk merges config files from apps before it decides what to do so, no, having multiple input.conf files will not result in duplicate inputs.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway · ‎10-19-2020

Splunk merges config files from apps before it decides what to do so, no, having multiple input.conf files will not result in duplicate inputs.

---
If this reply helps you, Karma would be appreciated.

Deployment Server over old config management

deployment client

deployment server

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?