I have integrated a deployment client into my environment to manager the configuration files but now I am having multiple issues with configuration files precedence. I am able to deploy new configuration files to the forwarders but they are not taking effect because the \local configuration files are taking precedence.
Question:
1. what is the best way to deal with the \local configuration files after I deploy the new configuration files under \apps? should I delete or rename the files under the local directory?
This leads me to my second question....
Hi avalle,
when I use a Deployment Server I deploy always TAs with only default folder, I don't use local folder in TAs to deploy on Universal Forwarder.
Bye.
Giuseppe
Post 6.2 the deployment server wipes /local in apps by default.
I have splunk 6.4.0 on the deployment and it did not wipe /local
You shouldn't delete the local/ conf files since there will be some attributes that need to override conf files in apps/
You should create a new app and put everything from etc/system/local into that new app and leave the default hostname in local/
You should obviously test this in a dev environment before doing it in production..
Example:
1) Create a new app called "old_local_conf/local"
2) Add your conf files under local/
3) Remove everything in etc/system/local/ except for the defaults like hostname
4) Restart splunkd service on the forwarder