Getting Data In

Is there a way to configure Splunk to index its own .conf files or does Splunk already do this?

landen99
Motivator

How can I configure Splunk to index its own conf files? Would there be any issues with doing this?

Or does Splunk already index those files, and if so, then where are they indexed?

0 Karma
1 Solution

landen99
Motivator

The solution is within the SOS app to do btools to collect in a saved search:

| btools macros.conf | formatting commands | collect index=myConfIndex

View solution in original post

0 Karma

landen99
Motivator

The solution is within the SOS app to do btools to collect in a saved search:

| btools macros.conf | formatting commands | collect index=myConfIndex
0 Karma

jzhao_splunk
Splunk Employee
Splunk Employee

If you just want to review the parameter in conf, try this app https://apps.splunk.com/app/2615/

0 Karma

landen99
Motivator

I want to index the data presented by the configuration File Viewer every hour if it changes.

0 Karma

gfuente
Motivator

If you use the SOS app it index the .conf files by default.

0 Karma

landen99
Motivator

I have SOS. Where can I see SOS indexing the conf files?

0 Karma

gfuente
Motivator

The third tab, "Configuration File Viewer"

0 Karma

landen99
Motivator

I see the Configuration File Viewer, but I can't see the search that powers the stanza listing. Where is the information being indexed? ie: index=conf ... I am suspecting that it is not being indexed.

0 Karma

landen99
Motivator

Confirming that the Configuration File Viewer uses btool to pull the data but does not index anything. We have to create searches with btools to send the data to summary indexes ourselves.

0 Karma

somesoni2
SplunkTrust
SplunkTrust

In my belief, Splunk doesn't index the conf files. If you would like to index the conf files to track the change history on them, you can setup a monitor on different locations where .conf files can be present (etc/system, etc/apps, etc/users).
As far as I know there shouldn't be any issue monitoring .conf files.

0 Karma

landen99
Motivator
0 Karma

landen99
Motivator

Added to inputs.conf:

[monitor://C:\Program Files\Splunk\etc\...\*.conf]
sourcetype = conf
index = si_conf
LINE_BREAKER=^\[
followTail = False

...*.conf looks at all subdirectories for any files with conf extensions.
^[ breaks events before each stanza
followTail was just added to get the entire file indexed each time. Haven't verified it yet.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...