Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

What happens if you deploy an inputs.conf from a DS if an inputs.conf already exists?

russell120
Communicator
‎02-25-2019 07:33 PM

Hi,

Its just as the title suggests. If a have a deployment client with an inputs.conf thats already configured as such:

[monitor:///var/log/httpd]
index = web

If I push this inputs.conf to that deployment client from a deployment server?:

[monitor:///var/log/httpd]
index = webLogs

Will the web or webLogs index be populated with events? Or will both be?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

burwell
SplunkTrust
SplunkTrust
‎02-25-2019 07:50 PM

The deployment server works at the app level.

And the app has a set of files in directories which could include an inputs.conf.

So if you already had an inputs.conf in /opt/splunk/etc/myapp/local/inputs.conf and the server.conf is going to deploy myapp to the client it will overwrite it.

View solution in original post

Reply
Solved! Jump to solution
Solution

burwell
SplunkTrust
SplunkTrust
‎02-25-2019 07:50 PM

The deployment server works at the app level.

And the app has a set of files in directories which could include an inputs.conf.

So if you already had an inputs.conf in /opt/splunk/etc/myapp/local/inputs.conf and the server.conf is going to deploy myapp to the client it will overwrite it.

Reply
Solved! Jump to solution

FrankVl
Ultra Champion
‎02-26-2019 12:17 AM

Exactly. And if they are not in the same app / folder, then Splunk determines the precedence based on the location of each inputs.conf: https://docs.splunk.com/Documentation/Splunk/latest/Admin/Wheretofindtheconfigurationfiles

Reply
Get Updates on the Splunk Community!

SOCin’ it to you at Splunk University

Splunk University is expanding its instructor-led learning portfolio with dedicated Security tracks at .conf25 ...

Credit Card Data Protection & PCI Compliance with Splunk Edge Processor

Organizations handling credit card transactions know that PCI DSS compliance is both critical and complex. The ...

Stay Connected: Your Guide to July Tech Talks, Office Hours, and Webinars!

What are Community Office Hours?Community Office Hours is an interactive 60-minute Zoom series where ...