Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Best way to deal with the \local configuration files after deploying new configuration files under \apps?

avalle
Path Finder
‎10-23-2017 01:37 PM

I have integrated a deployment client into my environment to manager the configuration files but now I am having multiple issues with configuration files precedence. I am able to deploy new configuration files to the forwarders but they are not taking effect because the \local configuration files are taking precedence.

Question:
1. what is the best way to deal with the \local configuration files after I deploy the new configuration files under \apps? should I delete or rename the files under the local directory?
This leads me to my second question....

  1. Now that the \local directory configuration files will be gone how do I make sure that the forwarders are getting their correct host name? reinstalling Splunk is not an option and currently they are getting their host name from the configuration files in the local directory. How can i use a configuration file under the newly deployed app to display the correct host name.
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎10-24-2017 12:51 AM

Hi avalle,
when I use a Deployment Server I deploy always TAs with only default folder, I don't use local folder in TAs to deploy on Universal Forwarder.
Bye.
Giuseppe

0 Karma
Reply

jkat54
SplunkTrust
SplunkTrust
‎10-23-2017 05:46 PM

Post 6.2 the deployment server wipes /local in apps by default.

0 Karma
Reply

avalle
Path Finder
‎10-24-2017 06:14 AM

I have splunk 6.4.0 on the deployment and it did not wipe /local

0 Karma
Reply

skoelpin
SplunkTrust
SplunkTrust
‎10-23-2017 04:43 PM

You shouldn't delete the local/ conf files since there will be some attributes that need to override conf files in apps/

You should create a new app and put everything from etc/system/local into that new app and leave the default hostname in local/

You should obviously test this in a dev environment before doing it in production..

Example:
1) Create a new app called "old_local_conf/local"
2) Add your conf files under local/
3) Remove everything in etc/system/local/ except for the defaults like hostname
4) Restart splunkd service on the forwarder

0 Karma
Reply
Get Updates on the Splunk Community!

Accelerating Observability as Code with the Splunk AI Assistant

We’ve seen in previous posts what Observability as Code (OaC) is and how it’s now essential for managing ...

Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...

 Splunk is More Than Just the Web Console For Digital Forensics and Incident Response (DFIR) practitioners, ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...