Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Splunk precedence issue

rameshlpatel
Communicator
‎05-29-2014 04:23 AM

Hi,

I have outputs.conf file under etc/system/local folder with following conf.

[tcpout-server://10.248.180.196:9997]
[tcpout:default-autolb-group]
server = 10.248.180.196:9997

In addition, I deployed app with outputs.conf (with following conf) from deployment server to etc/app dir.

[tcpout-server://alpputl018:9997]

[tcpout:default-autolb-group]
server = alpputl018:9997

Ideally app folder outputs.conf should override system/local outputs.conf. means ideally logs should be forward to alpputl018, but in my scenario its still pointing to old indexer i.e. 10.248.180.196.

In addition. forwarder logs are forwarding to new indexer but not application log.

This issue is really strength to me and not working as per splunk precedence theory.

Please help me out to understand this issue.

Tags (2)
0 Karma
Reply

sowings
Splunk Employee
Splunk Employee
‎05-29-2014 06:30 AM

$SPLUNK_HOME/etc/system/local takes precedence over any app config (whether local OR default) in $SPLUNK_HOME/etc/apps. If you are using the deployment server, you are best served by not placing any local (site-specific) configs in $SPLUNK_HOME/etc/system/local, since these cannot be overridden by apps sent by the deployment server.

Because of the precedence rules set out in $SPLUNK_HOME/etc/system/default/conf.conf, the behavior that [~rameshlpatel] is observing is correct, even if it's not what's intended.

Reply

sowings
Splunk Employee
Splunk Employee
‎08-29-2014 01:39 PM

btw, "cd $SPLUNK_HOME/etc/system/default ; grep conf conf.conf | grep -v confdb". The apps provided from a cluster master (placed in the slave-apps folder on the clustered indexer) override even system/local!

0 Karma
Reply

rameshlpatel
Communicator
‎05-29-2014 09:25 AM

Thanks for clearing my doubts.

0 Karma
Reply

kheli
Path Finder
‎05-29-2014 05:21 AM

indexing is global context so config in /etc/system/local will take precendence.

You can also use btool command to find all outputs.conf value in a splunk instance.

http://docs.splunk.com/Documentation/Splunk/latest/Troubleshooting/Usebtooltotroubleshootconfigurati...

If you cannot see application logs are being indexed, make sure the index for the application log is created in the indexer and data input has been configured properly in forwarder.

0 Karma
Reply

rameshlpatel
Communicator
‎05-29-2014 05:37 AM

index has been created in new indexer and monitoring path is also properly configured in forwarders.

0 Karma
Reply

rameshlpatel
Communicator
‎05-29-2014 05:24 AM

I ran btool and its showing old one. Now problem is how I override this configuration with new from deployment server ?

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk AI Assistant for SPL | Key Use Cases to Unlock the Power of SPL

Splunk AI Assistant for SPL | Key Use Cases to Unlock the Power of SPL  The Splunk AI Assistant for SPL ...

Buttercup Games: Further Dashboarding Techniques (Part 5)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...

Customers Increasingly Choose Splunk for Observability

For the second year in a row, Splunk was recognized as a Leader in the 2024 Gartner® Magic Quadrant™ for ...