I've been using the UI to manage serverclasses for my universal forwarders. Somehow, I've managed to get the serverclass.conf split across ...splunk/etc/apps/search/local and .../splunk/etc/system/local/
I don't know how I accomplished that but I want to merge them. It seems easy to do. Stop the splunk service, merge the two files in one location, start the splunk service. What am I missing? Thank you for your consideration!
You are not missing much ; -)
The Splunk community does seem to agree that a solid, extremely large
serverclass.conf is the right design choice, even though the UI stirs you to the app based
We ended up speaking about it recently at Do big implementations break down the serverclass.conf into multiple files?
Could you use btool to list what you have?
/opt/splunk/bin/splunk btool serverclass list
And if you want to see where each is coming from
/opt/splunk/bin/splunk btool serverclass list --debug
Use btool and it is SUPER DUPER easy:
/opt/splunk/bin/splunk severclass list > /tmp/serverclass.conf
You can also examine serverclass.xml which should also have everything in one place; I think it is here:
Just a slight modification to it:
$SPLUNK_HOME/bin/splunk btool serverclass list --debug | grep -v 'system/default' > /tmp/serverclass.conf
Do don't want to keep all the default settings in your config 😉
Lot's of great answers! Thanks everyone! It's just that, with Splunk, I've been caught with my pants down doing something "simple" that resulted in a temporary, and embarrassing, loss of functionality.