I have integrated a deployment client into my environment to manager the configuration files but now I am having multiple issues with configuration files precedence. I am able to deploy new configuration files to the forwarders but they are not taking effect because the \local configuration files are taking precedence.
1. what is the best way to deal with the \local configuration files after I deploy the new configuration files under \apps? should I delete or rename the files under the local directory?
This leads me to my second question....
Now that the \local directory configuration files will be gone how do I make sure that the forwarders are getting their correct host name? reinstalling Splunk is not an option and currently they are getting their host name from the configuration files in the local directory. How can i use a configuration file under the newly deployed app to display the correct host name.
You shouldn't delete the local/ conf files since there will be some attributes that need to override conf files in apps/
You should create a new app and put everything from etc/system/local into that new app and leave the default hostname in local/
You should obviously test this in a dev environment before doing it in production..
1) Create a new app called "old_local_conf/local"
2) Add your conf files under local/
3) Remove everything in etc/system/local/ except for the defaults like hostname
4) Restart splunkd service on the forwarder