Deployment Architecture
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

SHCluster replication overwrites hostname in $SPLUNK_HOME/etc/system/local/inputs.conf

SteveBowser
Explorer
‎12-17-2024 03:41 PM

Everytime we have to force replication on the SH nodes of a SH Cluster, the inputs.conf replicates and overwrites the hostname. Is there anyway to blacklist a .conf file by location to prevent it replicating when you do a forced resync of the SH nodes?

Labels (1)
Labels
0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎12-18-2024 12:12 AM
If I recall right SHC shouldn't replicate those files in etc/system/local . Those are host specific local files by default.

Are you absolutely sure that your host is defined in inputs.conf file under system/local instead of inside some app?
Can you check it from CLI with command "splunk btool inputs list --debug | egrep host"? Unfortunately this gives a lot entries, but you can see if there is also 'etc/system/local' on list.
0 Karma
Reply

SteveBowser
Explorer
‎12-18-2024 09:43 AM

Totally agreeing with you as this only happens on our ES SHC, and not our ITSI SHC. We have a work-around where we edit the $SPLUNK_HOME/etc/system/local/inputs.conf 
This will be looked into further after the holidays, so if I do find it, I'll be back on here.

0 Karma
Reply

SteveBowser
Explorer
‎12-18-2024 11:53 AM

I just did this from the /opt/splunk directory on all 3 SHC members, and the deployer:

grep --include=inputs.conf -rnw . -e "host ="

The only place where I see the hostname being in an inputs.conf is in $SPLUNK_HOME/etc/system/local, and $SPLUNK_HOME/var/run/splunk/confsnapshot/baselinelocal/inputs.conf

Kind of at a loss...

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎12-18-2024 12:25 PM
It could be like “host\s*=“.
The best way is use btool with —debug to see where it has defined.
0 Karma
Reply

sainag_splunk
Splunk Employee
Splunk Employee
‎12-17-2024 05:38 PM

@SteveBowser  Checkout

inputs.conf 

$decideOnStartup

server.conf 

hostnameOption = [ fullyqualifiedname | clustername | shortname ]







If this reply helps, Please Upvote.



If this helps, Upvote!!!!
Together we make the Splunk Community stronger 
0 Karma
Reply

SteveBowser
Explorer
‎12-18-2024 09:45 AM

As we use specialized names for the host, this might not be an option, but we will be looking at this also. Like I mentioned to the other responder, after the holidays and we have a crude work-around. 

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

🔐 Trust at Every Hop: How mTLS in Splunk Enterprise 10.0 Makes Security Simpler

From Idea to Implementation: Why Splunk Built mTLS into Splunk Enterprise 10.0  mTLS wasn’t just a checkbox ...