Getting Data In

Best way to deal with the \local configuration files after deploying new configuration files under \apps?

avalle
Path Finder

I have integrated a deployment client into my environment to manager the configuration files but now I am having multiple issues with configuration files precedence. I am able to deploy new configuration files to the forwarders but they are not taking effect because the \local configuration files are taking precedence.

Question:
1. what is the best way to deal with the \local configuration files after I deploy the new configuration files under \apps? should I delete or rename the files under the local directory?
This leads me to my second question....

  1. Now that the \local directory configuration files will be gone how do I make sure that the forwarders are getting their correct host name? reinstalling Splunk is not an option and currently they are getting their host name from the configuration files in the local directory. How can i use a configuration file under the newly deployed app to display the correct host name.
0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi avalle,
when I use a Deployment Server I deploy always TAs with only default folder, I don't use local folder in TAs to deploy on Universal Forwarder.
Bye.
Giuseppe

0 Karma

jkat54
SplunkTrust
SplunkTrust

Post 6.2 the deployment server wipes /local in apps by default.

0 Karma

avalle
Path Finder

I have splunk 6.4.0 on the deployment and it did not wipe /local

0 Karma

skoelpin
SplunkTrust
SplunkTrust

You shouldn't delete the local/ conf files since there will be some attributes that need to override conf files in apps/

You should create a new app and put everything from etc/system/local into that new app and leave the default hostname in local/

You should obviously test this in a dev environment before doing it in production..

Example:
1) Create a new app called "old_local_conf/local"
2) Add your conf files under local/
3) Remove everything in etc/system/local/ except for the defaults like hostname
4) Restart splunkd service on the forwarder

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...