Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Splunk precedence issue

rameshlpatel
Communicator
‎05-29-2014 04:23 AM

Hi,

I have outputs.conf file under etc/system/local folder with following conf.

[tcpout-server://10.248.180.196:9997]
[tcpout:default-autolb-group]
server = 10.248.180.196:9997

In addition, I deployed app with outputs.conf (with following conf) from deployment server to etc/app dir.

[tcpout-server://alpputl018:9997]

[tcpout:default-autolb-group]
server = alpputl018:9997

Ideally app folder outputs.conf should override system/local outputs.conf. means ideally logs should be forward to alpputl018, but in my scenario its still pointing to old indexer i.e. 10.248.180.196.

In addition. forwarder logs are forwarding to new indexer but not application log.

This issue is really strength to me and not working as per splunk precedence theory.

Please help me out to understand this issue.

Tags (2)
0 Karma
Reply

sowings
Splunk Employee
Splunk Employee
‎05-29-2014 06:30 AM

$SPLUNK_HOME/etc/system/local takes precedence over any app config (whether local OR default) in $SPLUNK_HOME/etc/apps. If you are using the deployment server, you are best served by not placing any local (site-specific) configs in $SPLUNK_HOME/etc/system/local, since these cannot be overridden by apps sent by the deployment server.

Because of the precedence rules set out in $SPLUNK_HOME/etc/system/default/conf.conf, the behavior that [~rameshlpatel] is observing is correct, even if it's not what's intended.

Reply

sowings
Splunk Employee
Splunk Employee
‎08-29-2014 01:39 PM

btw, "cd $SPLUNK_HOME/etc/system/default ; grep conf conf.conf | grep -v confdb". The apps provided from a cluster master (placed in the slave-apps folder on the clustered indexer) override even system/local!

0 Karma
Reply

rameshlpatel
Communicator
‎05-29-2014 09:25 AM

Thanks for clearing my doubts.

0 Karma
Reply

kheli
Path Finder
‎05-29-2014 05:21 AM

indexing is global context so config in /etc/system/local will take precendence.

You can also use btool command to find all outputs.conf value in a splunk instance.

http://docs.splunk.com/Documentation/Splunk/latest/Troubleshooting/Usebtooltotroubleshootconfigurati...

If you cannot see application logs are being indexed, make sure the index for the application log is created in the indexer and data input has been configured properly in forwarder.

0 Karma
Reply

rameshlpatel
Communicator
‎05-29-2014 05:37 AM

index has been created in new indexer and monitoring path is also properly configured in forwarders.

0 Karma
Reply

rameshlpatel
Communicator
‎05-29-2014 05:24 AM

I ran btool and its showing old one. Now problem is how I override this configuration with new from deployment server ?

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...