Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Splunk precedence issue

rameshlpatel
Communicator
‎05-29-2014 04:23 AM

Hi,

I have outputs.conf file under etc/system/local folder with following conf.

[tcpout-server://10.248.180.196:9997]
[tcpout:default-autolb-group]
server = 10.248.180.196:9997

In addition, I deployed app with outputs.conf (with following conf) from deployment server to etc/app dir.

[tcpout-server://alpputl018:9997]

[tcpout:default-autolb-group]
server = alpputl018:9997

Ideally app folder outputs.conf should override system/local outputs.conf. means ideally logs should be forward to alpputl018, but in my scenario its still pointing to old indexer i.e. 10.248.180.196.

In addition. forwarder logs are forwarding to new indexer but not application log.

This issue is really strength to me and not working as per splunk precedence theory.

Please help me out to understand this issue.

Tags (2)
0 Karma
Reply

sowings
Splunk Employee
Splunk Employee
‎05-29-2014 06:30 AM

$SPLUNK_HOME/etc/system/local takes precedence over any app config (whether local OR default) in $SPLUNK_HOME/etc/apps. If you are using the deployment server, you are best served by not placing any local (site-specific) configs in $SPLUNK_HOME/etc/system/local, since these cannot be overridden by apps sent by the deployment server.

Because of the precedence rules set out in $SPLUNK_HOME/etc/system/default/conf.conf, the behavior that [~rameshlpatel] is observing is correct, even if it's not what's intended.

Reply

sowings
Splunk Employee
Splunk Employee
‎08-29-2014 01:39 PM

btw, "cd $SPLUNK_HOME/etc/system/default ; grep conf conf.conf | grep -v confdb". The apps provided from a cluster master (placed in the slave-apps folder on the clustered indexer) override even system/local!

0 Karma
Reply

rameshlpatel
Communicator
‎05-29-2014 09:25 AM

Thanks for clearing my doubts.

0 Karma
Reply

kheli
Path Finder
‎05-29-2014 05:21 AM

indexing is global context so config in /etc/system/local will take precendence.

You can also use btool command to find all outputs.conf value in a splunk instance.

http://docs.splunk.com/Documentation/Splunk/latest/Troubleshooting/Usebtooltotroubleshootconfigurati...

If you cannot see application logs are being indexed, make sure the index for the application log is created in the indexer and data input has been configured properly in forwarder.

0 Karma
Reply

rameshlpatel
Communicator
‎05-29-2014 05:37 AM

index has been created in new indexer and monitoring path is also properly configured in forwarders.

0 Karma
Reply

rameshlpatel
Communicator
‎05-29-2014 05:24 AM

I ran btool and its showing old one. Now problem is how I override this configuration with new from deployment server ?

0 Karma
Reply
Get Updates on the Splunk Community!

[Upcoming Webinar] Demo Day: Transforming IT Operations with Splunk

Join us for a live Demo Day at the Cisco Store on January 21st 10:00am - 11:00am PST In the fast-paced world ...

New Year. New Skills. New Course Releases from Splunk Education

A new year often inspires reflection—and reinvention. Whether your goals include strengthening your security ...

Splunk and TLS: It doesn't have to be too hard

Overview Creating a TLS cert for Splunk usage is pretty much standard openssl.  To make life better, use an ...