Getting Data In

Best way to deal with the \local configuration files after deploying new configuration files under \apps?

avalle
Path Finder

I have integrated a deployment client into my environment to manager the configuration files but now I am having multiple issues with configuration files precedence. I am able to deploy new configuration files to the forwarders but they are not taking effect because the \local configuration files are taking precedence.

Question:
1. what is the best way to deal with the \local configuration files after I deploy the new configuration files under \apps? should I delete or rename the files under the local directory?
This leads me to my second question....

  1. Now that the \local directory configuration files will be gone how do I make sure that the forwarders are getting their correct host name? reinstalling Splunk is not an option and currently they are getting their host name from the configuration files in the local directory. How can i use a configuration file under the newly deployed app to display the correct host name.
0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi avalle,
when I use a Deployment Server I deploy always TAs with only default folder, I don't use local folder in TAs to deploy on Universal Forwarder.
Bye.
Giuseppe

0 Karma

jkat54
SplunkTrust
SplunkTrust

Post 6.2 the deployment server wipes /local in apps by default.

0 Karma

avalle
Path Finder

I have splunk 6.4.0 on the deployment and it did not wipe /local

0 Karma

skoelpin
SplunkTrust
SplunkTrust

You shouldn't delete the local/ conf files since there will be some attributes that need to override conf files in apps/

You should create a new app and put everything from etc/system/local into that new app and leave the default hostname in local/

You should obviously test this in a dev environment before doing it in production..

Example:
1) Create a new app called "old_local_conf/local"
2) Add your conf files under local/
3) Remove everything in etc/system/local/ except for the defaults like hostname
4) Restart splunkd service on the forwarder

0 Karma
Get Updates on the Splunk Community!

Splunk Certification Support Alert | Pearson VUE Outage

Splunk Certification holders and candidates!  Please be advised of an upcoming system maintenance period for ...

Enterprise Security Content Update (ESCU) | New Releases

In September, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...

New in Observability - Improvements to Custom Metrics SLOs, Log Observer Connect & ...

The latest enhancements to the Splunk observability portfolio deliver improved SLO management accuracy, better ...