Getting Data In
Highlighted

Do you use Local or Default directories for your data inputs?

Builder

Need help understanding the proper place for our apps.

Windows, Splunk 6.2, Clean roll out, using LDAP, no ssl, I'm using the free trial license (this is home setup). This is a single server setup. Using the GUI, Data Input, Forward data, I see 3 computers available to select from (they are phoning home already). I select computer A and create a new server class called: TestServerClass, I grab Windows event logs (SETUP), I create a test index called "test" and I set this server class to send its setup logs to index: test

End results

A new server class called: TestServerClass
A new app called: serverappTest (when adding data via gui it always combines "serverapp" to whatever server class name you choose that will = the app name.

App is created on the splunk server under deployment apps and pushed to the test server with a universal forwarder installed and phoning home. It places the correct stanza for inputting Windows setup logs into the inputs.conf file. The inputs.conf is in the Local folder (Not default)

It's not ingesting data. Though the servers are phoning home, it shows the app is deployed successfully. It all looks perfect, but doesn't send any data. (Index shows 0 data). I tried restarting Splunk server and universal forwarders.

Is the local directory the right dir I should be placing my inputs.conf. Why would one want to use default dir opposed to local? At work we are only able to get splunk to work with Default and i'm trying to not have to go that route. it should just work in local

0 Karma
Highlighted

Re: Do you use Local or Default directories for your data inputs?

Splunk Employee
Splunk Employee

This is where best practices come into play. Typically, any app you write, once you push / deploy it, all your configs should be default. If you have to modify the app on a per host basis you can put these changes in local ( although with a DS, this will still get deleted.)

The key thing here is that default is used to denote the 'default' configurations of the app. Local should be used to for local configurations that are modified outside of the default state of the configuration.

View solution in original post

Highlighted

Re: Do you use Local or Default directories for your data inputs?

Ultra Champion

It's funny as I saw this exact scenario of an serverappengwebservers app in the Splunk Admin class this week.

The UI created the inputs.conf under local in one of the labs -
SPLUNK_HOME/etc/deployment-apps/_server_app_eng_webservers/local/inputs.conf.

But look, when I create my own manual inputs.conf for my deployment-apps, I do it under the local directory.

I think the issue relates to the scalability of the app - if we create a generic app which can be modified and extended, then default makes sense. If, on the other hand, it's about an app with very specific use, then there is no point for the default location.

0 Karma
Highlighted

Re: Do you use Local or Default directories for your data inputs?

Builder

Thank you for this info. What's Strange is when you use DS gui it places the configuration into the local instead of default. Whereas if you manually create your app you will have place your conf into default.

Is there a purpose or a reason for splunk doing this or perhaps an enhancement they need to consider when using the web browser to create and deploy apps

0 Karma