Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do I figure out why custom conf files are not being imported?

seanbarbour
New Member
‎04-12-2016 01:19 PM

I am in the process of moving my indexer to a new server, and in the process, I thought it would be a good idea to combine the multiple configuration files that were scattered through $SPLUNK_HOME. The files I condensed are indexes.conf, transforms.conf, props.conf, serverclasses.conf (did not stick all of it in 1 file, the serverclasses.conf files went to a serverclasses.conf file).

I put the new configuration files in $SPLUNK_HOME/etc/system/custom_configs (so they were not higher than etc/local files). However when I rebooted and ran btool none of my configurations were imported. Thinking I had read the guide on the configurations incorrectly, also tried $SPLUNK_HOME/etc/system/local/custom_configs and $SPLUNK_HOME/etc/apps/custom_configs, but neither local corrected the issue.

I checked the permissions and even set the owner as splunk.

I am at a loss as to what I am doing wrong.

My environment is pretty simple:
Version: 6.3.3
No. Indexers: 1
Roles for indexer: all

Thanks,
Sean

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

MuS
SplunkTrust
SplunkTrust
‎04-12-2016 01:36 PM

Hi seanbarbour,

I'm not aware that you could place .conf files in other directories then:

  • $SPLUNK_HOME/etc/system/local
  • $SPLUNK_HOME/etc/apps/AppName/default
  • $SPLUNK_HOME/etc/apps/AppName/local
  • $SPLUNK_HOME/etc/users/AppName/local

Looking at your path $SPLUNK_HOME/etc/system/custom_configs I reckon this is simply ignored by Splunk and therefore not loaded.

The above list does not include any clustered apps folder; see the docs for a complete overview http://docs.splunk.com/Documentation/Splunk/6.4.0/Admin/Wheretofindtheconfigurationfiles

Hope this helps ...

cheers, MuS

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

MuS
SplunkTrust
SplunkTrust
‎04-12-2016 01:36 PM

Hi seanbarbour,

I'm not aware that you could place .conf files in other directories then:

  • $SPLUNK_HOME/etc/system/local
  • $SPLUNK_HOME/etc/apps/AppName/default
  • $SPLUNK_HOME/etc/apps/AppName/local
  • $SPLUNK_HOME/etc/users/AppName/local

Looking at your path $SPLUNK_HOME/etc/system/custom_configs I reckon this is simply ignored by Splunk and therefore not loaded.

The above list does not include any clustered apps folder; see the docs for a complete overview http://docs.splunk.com/Documentation/Splunk/6.4.0/Admin/Wheretofindtheconfigurationfiles

Hope this helps ...

cheers, MuS

0 Karma
Reply
Solved! Jump to solution

seanbarbour
New Member
‎04-12-2016 01:42 PM

I will move them outside of the custom_configs directory and see what happens.

0 Karma
Reply
Solved! Jump to solution

seanbarbour
New Member
‎04-12-2016 02:02 PM

Yea, so I am feeling a little dumb. They can be in any of the directories standard directories, but they need to be in a local folder. creating custom_configs/local and moving the files seems to work. I am getting errors on my configuration files so i will count that as progress.

Thanks!
Sean

0 Karma
Reply
Solved! Jump to solution

MuS
SplunkTrust
SplunkTrust
‎04-12-2016 03:42 PM

Please accept the answer if it answers your question - thanks 🙂

0 Karma
Reply
Solved! Jump to solution

seanbarbour
New Member
‎04-12-2016 01:41 PM

Might help if I posted the output of the stanza from btool:

[root@ ~]# cd /opt/splunk/bin/
[root@ bin]# ./splunk cmd btool server list --debug | grep '\['
/opt/splunk/etc/system/default/server.conf                                 [applicationsManagement]
/opt/splunk/etc/system/default/server.conf                                 [clustering]
/opt/splunk/etc/system/default/server.conf                                 [diag]
/opt/splunk/etc/system/default/server.conf                                 [diskUsage]
/opt/splunk/etc/system/default/server.conf                                 [fileInput]
/opt/splunk/etc/system/local/server.conf                                   [general]
/opt/splunk/etc/system/default/server.conf                                 [httpServer]
/opt/splunk/etc/apps/introspection_generator_addon/default/server.conf     [introspection:generator:disk_objects]
/opt/splunk/etc/system/default/server.conf                                 [introspection:generator:disk_objects__bundle_replication]
/opt/splunk/etc/system/default/server.conf                                 [introspection:generator:disk_objects__fishbucket]
/opt/splunk/etc/apps/introspection_generator_addon/default/server.conf     [introspection:generator:kvstore]
/opt/splunk/etc/apps/introspection_generator_addon/default/server.conf     [introspection:generator:resource_usage]
/opt/splunk/etc/system/default/server.conf                                 [kvstore]
/opt/splunk/etc/system/local/server.conf                                   [license]
/opt/splunk/etc/system/local/server.conf                                   [lmpool:auto_generated_pool_download-trial]
/opt/splunk/etc/system/local/server.conf                                   [lmpool:auto_generated_pool_enterprise]
/opt/splunk/etc/system/local/server.conf                                   [lmpool:auto_generated_pool_forwarder]
/opt/splunk/etc/system/local/server.conf                                   [lmpool:auto_generated_pool_free]
/opt/splunk/etc/system/default/server.conf                                 [mimetype-extension-map]
/opt/splunk/etc/system/default/server.conf                                 [pooling]
/opt/splunk/etc/system/default/server.conf                                 [queue]
/opt/splunk/etc/system/default/server.conf                                 [queue=AQ]
/opt/splunk/etc/system/default/server.conf                                 [queue=WEVT]
/opt/splunk/etc/system/default/server.conf                                 [queue=aggQueue]
/opt/splunk/etc/system/default/server.conf                                 [queue=fschangemanager_queue]
/opt/splunk/etc/system/default/server.conf                                 [queue=parsingQueue]
/opt/splunk/etc/system/default/server.conf                                 [queue=vixQueue]
/opt/splunk/etc/apps/SA-ldapsearch/default/server.conf                     [shclustering]
/opt/splunk/etc/system/local/server.conf                                   [sslConfig]
[root@ bin]#
0 Karma
Reply
Get Updates on the Splunk Community!

Building Reliable Asset and Identity Frameworks in Splunk ES

 Accurate asset and identity resolution is the backbone of security operations. Without it, alerts are ...

Cloud Monitoring Console - Unlocking Greater Visibility in SVC Usage Reporting

For Splunk Cloud customers, understanding and optimizing Splunk Virtual Compute (SVC) usage and resource ...

Automatic Discovery Part 3: Practical Use Cases

If you’ve enabled Automatic Discovery in your install of the Splunk Distribution of the OpenTelemetry ...