Getting Data In
Highlighted

How to monitor changes made to the inputs.conf file?

Builder

Hello,

We update the inputs.conf file periodically. I want to keep track of changes made in the inputs.conf file.

Any suggestion, how we can upload the file to Splunk whenever changes are made in inputs.conf?

Regards,
Ankit

0 Karma
Highlighted

Re: How to monitor changes made to the inputs.conf file?

Splunk Employee
Splunk Employee
0 Karma
Highlighted

Re: How to monitor changes made to the inputs.conf file?

Communicator

@jconger-- The link you provided has a disclaimer at the top: This feature has been deprecated as of Splunk Enterprise version 5.0. This means that although it continues to function in version 6.x of Splunk software, it might be removed in a future version.

0 Karma
Highlighted

Re: How to monitor changes made to the inputs.conf file?

SplunkTrust
SplunkTrust

Do you monitor inputs.conf directly on the server? Do you restart the splunk service after each change? You could just include something like this in your inputs.conf

[monitor://$SPLUNK_HOME/etc/apps/YourInputAppName/local/inputs.conf]
index= putSomeIndex
sourcetype = putSomeSourcetype
crcSalt = <SOURCE>
0 Karma
Highlighted

Re: How to monitor changes made to the inputs.conf file?

Splunk Employee
Splunk Employee

Aside from monitoring the files themselves (which is not a bad thing at all), my best practice recommendation would be to manage all your Splunk configuration files in a source control system, similar to what you would do with other code. This allows you to track changes and rollback to previous versions easily. When combined with using deployment server (or another distributed config management tool), this can enable a solid configuration lifecycle management process.

0 Karma
Highlighted

Re: How to monitor changes made to the inputs.conf file?

Super Champion

You can dig into Splunk configs to monitor for input.conf changes. Keep in mind, that inputs.conf can change in any Splunk subdirectory, so don't focus on one single inputs.conf file - towit, search Splunk_Home for inputs.conf and you will get many file hits. Changes to any inputs.conf file will likely give you new inputs.

If you only monitor the main Splunk instance, then you might miss changes to forwarder inputs.conf files (a bit rusty on forwarding).

To monitor all changes to all inputs.conf files on your local Splunk system such that every change will have a new _time (time stamp) you can add the following text to your inputs.conf and props.conf files:

In an inputs.conf file:

[monitor://$SPLUNK_HOME\etc\...\inputs.conf]
disable = false
sourcetype = Inputs_conf

In the corresponding props.conf file:

[Inputs_conf]
DATETIME_CONFIG=CURRENT

To see changes to any inputs.conf file, simply run a search on sourcetype=Inputs_conf for the time frame you're interested in. The Source will point you to the inputs.conf file path, and the Event will show you the change.

View solution in original post