Deployment Architecture
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

server.conf and inputs.conf

loatswil
Path Finder
‎02-27-2013 09:36 AM

We have hundreds of WIndows and Linux forwarders. Many have been cloned from other systems over the years. Recently, we have noticed that some of these hosts do not appear in search results due to invalid entries in

$SPLUNKHOME/etc/system/local/inputs.conf

$SPLUNKHOME/etc/system/local/server.conf

Removing these files and restarting Splunk seems to fix the problem as the files are recreated properly (or not at all).

What are the implications of automatically removing these files across all servers and restarting Splunk on each forwarder to ensure each system is reporting properly?

Tags (1)
Reply

jbsplunk
Splunk Employee
Splunk Employee
‎02-27-2013 01:48 PM

Inputs.conf contains the inputs that specify what you'd like splunk to do in terms of files to monitor, scripts to run, etc.

Server.conf provides contains the set of attributes and values you can use to configure server options, and are often times specific to the system.

Deleting them will cause any of the custom settings that have been put in place intentionally or otherwise, to be deleted.

Files may or may not be created on restart, depending on the conf file in question, but the custom settings in place will be lost.

Reply

sowings
Splunk Employee
Splunk Employee
‎08-29-2013 10:04 AM

By default, the server.conf that gets created in system/local/ contains the GUID of the server (as mentioned by yannK above) as well as the SSL certificate password, in hashed form.

The inputs.conf in the same location is created to set the default hostname for data arising from the box, if no other means of setting the host is supplied. This is the likely culprit for your hosts not showing up properly.

0 Karma
Reply

yannK
Splunk Employee
Splunk Employee
‎08-29-2013 09:52 AM

Addendum about the instance GUID (unique ID)

in splunk 4., the GUID was in $SPLUNK_HOME/etc/system/local/server.conf
since splunk 5., the GUID is in $SPLUNK_HOME/etc/instance.cfg

0 Karma
Reply

jbsplunk
Splunk Employee
Splunk Employee
‎02-27-2013 02:34 PM

Well, server.conf generally isn't something you'd deploy via a Deployment Server. Inputs.conf generally would be deployed via an app managed by DS. But, if you deleted server.conf, and had server specific settings, they'd get trashed. This is really the only reason to avoid making this type of a change.

0 Karma
Reply

loatswil
Path Finder
‎02-27-2013 02:30 PM

The forwarder configuration is controlled by a deployment server in this case. So the custom settings are located elsewhere, right?

$SPLUNKHOME/etc/apps/

Are there any other reasons NOT to do something like this?

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

Hello Splunkers,  We’re excited to kick off a Splunk Dashboard contest! We know that dashboards are a primary ...

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...