Solved: What happens if you deploy an inputs.conf from a D...

russell120 · ‎02-25-2019

Hi,

Its just as the title suggests. If a have a deployment client with an inputs.conf thats already configured as such:

[monitor:///var/log/httpd]
index = web

If I push this inputs.conf to that deployment client from a deployment server?:

[monitor:///var/log/httpd]
index = webLogs

Will the web or webLogs index be populated with events? Or will both be?

burwell · ‎02-25-2019

The deployment server works at the app level.

And the app has a set of files in directories which could include an inputs.conf.

So if you already had an inputs.conf in /opt/splunk/etc/myapp/local/inputs.conf and the server.conf is going to deploy myapp to the client it will overwrite it.

View solution in original post

burwell · ‎02-25-2019

The deployment server works at the app level.

And the app has a set of files in directories which could include an inputs.conf.

So if you already had an inputs.conf in /opt/splunk/etc/myapp/local/inputs.conf and the server.conf is going to deploy myapp to the client it will overwrite it.

View solution in original post

FrankVl · ‎02-26-2019

Exactly. And if they are not in the same app / folder, then Splunk determines the precedence based on the location of each inputs.conf: https://docs.splunk.com/Documentation/Splunk/latest/Admin/Wheretofindtheconfigurationfiles

What happens if you deploy an inputs.conf from a DS if an inputs.conf already exists?

How will you .conf21? You decide! Go in-person in Las Vegas, 10/18-10/21, or go online with .conf21 Virtual, 10/19-10/20.

Learn More or Register Now >

What happens if you deploy an inputs.conf from a DS if an inputs.conf already exists?

How will you .conf21? You decide! Go in-person in Las Vegas, 10/18-10/21, or go online with .conf21 Virtual, 10/19-10/20. Learn More or Register Now >

How will you .conf21? You decide! Go in-person in Las Vegas, 10/18-10/21, or go online with .conf21 Virtual, 10/19-10/20.

Learn More or Register Now >