Hello All,
I have not found this answer yet. I am in the process of configuring and testing a deployment server. My environment is completely deployed but I want to have a central place to update all of my conf files. I see a lot of documentation about deploying apps but none about updating the conf file. Does anyone know or have documentation on the steps to deploy conf files?
When you deploy configuration files, you do it within the context of an app. You can think of an app as basically a "configuration bundle" if that helps wrap your mind around how this is working. An app can include executable code, but the vast majority of ours hold only configuration files.
I'm not sure how you are used to configuring Splunk; have you been editing files in $SPLUNK_HOME/etc/system/local
?
The most common types of configuration files to deploy in an application would probably by props
, transforms
, and inputs
, but you aren't limited to only those configuration files.
If you're not sure, create an app in $SPLUNK_HOME/etc/apps
, put the configuration file in either the default
or local
sub-directory and then run $SPLUNK_HOME/bin/splunk btool FILE list
where FILE is the name of the configuration file without the .conf suffix. That will get you a merged view of the configuration files; basically that's what Splunk would be using if you restarted it. If you see your setting, then you know the configuration file is being read and you can build your confidence that using an app to hold your configuration files really is going to do what you want.
When you deploy configuration files, you do it within the context of an app. You can think of an app as basically a "configuration bundle" if that helps wrap your mind around how this is working. An app can include executable code, but the vast majority of ours hold only configuration files.
I'm not sure how you are used to configuring Splunk; have you been editing files in $SPLUNK_HOME/etc/system/local
?
The most common types of configuration files to deploy in an application would probably by props
, transforms
, and inputs
, but you aren't limited to only those configuration files.
If you're not sure, create an app in $SPLUNK_HOME/etc/apps
, put the configuration file in either the default
or local
sub-directory and then run $SPLUNK_HOME/bin/splunk btool FILE list
where FILE is the name of the configuration file without the .conf suffix. That will get you a merged view of the configuration files; basically that's what Splunk would be using if you restarted it. If you see your setting, then you know the configuration file is being read and you can build your confidence that using an app to hold your configuration files really is going to do what you want.
When you create an app named app1 and an app named app2 both with for example an props.conf they will after deployment to the FW resides in:
~/etc/apps/app1/local/props.conf and
~/etc/apps/app2/local/props.conf
The working props.conf of the FW will be a merged running file of all the props.conf files on the system including those in the app1 and app2 directory.
There is no need to place them in ~/etc/system/local
@frmaasdam may have a better answer than me or @triest since they both answered my question
Thank you! Splunk was already deployed before I took the position and they used another app to send the conf files toall of the devices and now it is my job to manage them.
I've never created an app before, is there a default app that I can use to put the conf files in?
question...after creating your own app as mentioned above; placing the updated config files you want to push to your forwarders and then pushing to them how will the updated config files get into the proper directory on the forwarders ie etc/system/local?
You can ofcourse place your config files in an self created app with any name like configapp.
This is how I deploy my inputs, outputs, props, transforms etc.