We are using a distributed architecture and I have a couple of servers with custom windows logs that we want to pull into Splunk. I added the needed configs to the inputs.conf file, but periodically the custom inputs.conf files are being overwritten with the universally distributed conf file. How can I prevent this from happening? Or should I just add the custom configs to the core inputs.conf file that gets pushed out to the whole environment?
Hi @lball,
You shall put them in an app and push to the respective servers. If you are using a deployment server to push the configs , then you could use serverclass
to distinguish between the servers [https://docs.splunk.com/Documentation/Splunk/7.1.1/Updating/Useserverclass.conf] . Or you shall put them into the local
directory of splunk to get a higher precedence. Have a look at the following link for more information about config file precedence http://docs.splunk.com/Documentation/Splunk/7.1.1/Admin/Wheretofindtheconfigurationfiles
Hi @lball,
You shall put them in an app and push to the respective servers. If you are using a deployment server to push the configs , then you could use serverclass
to distinguish between the servers [https://docs.splunk.com/Documentation/Splunk/7.1.1/Updating/Useserverclass.conf] . Or you shall put them into the local
directory of splunk to get a higher precedence. Have a look at the following link for more information about config file precedence http://docs.splunk.com/Documentation/Splunk/7.1.1/Admin/Wheretofindtheconfigurationfiles