Getting Data In

Custom inputs.conf files in distributed architecture

lball
Explorer

We are using a distributed architecture and I have a couple of servers with custom windows logs that we want to pull into Splunk. I added the needed configs to the inputs.conf file, but periodically the custom inputs.conf files are being overwritten with the universally distributed conf file. How can I prevent this from happening? Or should I just add the custom configs to the core inputs.conf file that gets pushed out to the whole environment?

0 Karma
1 Solution

renjith_nair
SplunkTrust
SplunkTrust

Hi @lball,

You shall put them in an app and push to the respective servers. If you are using a deployment server to push the configs , then you could use serverclass to distinguish between the servers [https://docs.splunk.com/Documentation/Splunk/7.1.1/Updating/Useserverclass.conf] . Or you shall put them into the local directory of splunk to get a higher precedence. Have a look at the following link for more information about config file precedence http://docs.splunk.com/Documentation/Splunk/7.1.1/Admin/Wheretofindtheconfigurationfiles

Happy Splunking!

View solution in original post

renjith_nair
SplunkTrust
SplunkTrust

Hi @lball,

You shall put them in an app and push to the respective servers. If you are using a deployment server to push the configs , then you could use serverclass to distinguish between the servers [https://docs.splunk.com/Documentation/Splunk/7.1.1/Updating/Useserverclass.conf] . Or you shall put them into the local directory of splunk to get a higher precedence. Have a look at the following link for more information about config file precedence http://docs.splunk.com/Documentation/Splunk/7.1.1/Admin/Wheretofindtheconfigurationfiles

Happy Splunking!
Get Updates on the Splunk Community!

Observability Highlights | November 2022 Newsletter

 November 2022Observability CloudEnd Of Support Extension for SignalFx Smart AgentSplunk is extending the End ...

Avoid Certificate Expiry Issues in Splunk Enterprise with Certificate Assist

This blog post is part 2 of 4 of a series on Splunk Assist. Click the links below to see the other ...

Using Machine Learning for Hunting Security Threats

REGISTER NOW Seeing the exponential hike in global cyber threat spectrum, organizations are now striving more ...