Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

What happens if you deploy an inputs.conf from a DS if an inputs.conf already exists?

russell120
Communicator
‎02-25-2019 07:33 PM

Hi,

Its just as the title suggests. If a have a deployment client with an inputs.conf thats already configured as such:

[monitor:///var/log/httpd]
index = web

If I push this inputs.conf to that deployment client from a deployment server?:

[monitor:///var/log/httpd]
index = webLogs

Will the web or webLogs index be populated with events? Or will both be?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

burwell
SplunkTrust
SplunkTrust
‎02-25-2019 07:50 PM

The deployment server works at the app level.

And the app has a set of files in directories which could include an inputs.conf.

So if you already had an inputs.conf in /opt/splunk/etc/myapp/local/inputs.conf and the server.conf is going to deploy myapp to the client it will overwrite it.

View solution in original post

Reply
Solved! Jump to solution
Solution

burwell
SplunkTrust
SplunkTrust
‎02-25-2019 07:50 PM

The deployment server works at the app level.

And the app has a set of files in directories which could include an inputs.conf.

So if you already had an inputs.conf in /opt/splunk/etc/myapp/local/inputs.conf and the server.conf is going to deploy myapp to the client it will overwrite it.

Reply
Solved! Jump to solution

FrankVl
Ultra Champion
‎02-26-2019 12:17 AM

Exactly. And if they are not in the same app / folder, then Splunk determines the precedence based on the location of each inputs.conf: https://docs.splunk.com/Documentation/Splunk/latest/Admin/Wheretofindtheconfigurationfiles

Reply
Get Updates on the Splunk Community!

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...