If I use the command ./splunk add monitor /var/log,
-> /splunk/etc/apps/search/local/inputs.conf file will be modified.
However, if I use the command ./splunk add forward-server a.a.a.a:9997,
-> /splunk/etc/system/local/outputs.conf is modified.
Why are both the same cli tasks, but one modifies the file under the search app and the other modifies the system file?
Even considering the priority of the conf configuration file, both are GLOBAL CONTEXT, so I think they should both be placed under the System folder.
My question may be inappropriate or may have some shortcomings. I would really appreciate your advice.
Hi @munang,
the command is always the same (splunk) bt the action is a different action, recorded ina different conf file:
In other words, the "splunk add" command updates a conf file, but the updated conf file depends on the object to update (inputs, outputs and so on).
I hope to be sufficiently clear.
Anyway, instead of using CLI commands, that writes updated in the $SPLUNK_HOME/etc/system/local folder, make your updates directly in the conf files in dedicated apps in $SPLUNK_HOME/etc/apps/<your_app>/local, so you can manage them using the Deployment Server (DS cannot manage conf files in $SPLUNK_HOME/etc/system/local).
Ciao.
Giuseppe
Hello. Thank you very much for your kind reply.
May I ask one more question?
I understood what you were saying to mean that it is more appropriate to directly update the .conf file under $SPLUNK_HOME/etc/apps/<your_app>/local and manage it as a distribution server rather than using the add command.
Is there a reason why you don't recommend writing to the $SPLUNK_HOME/etc/system/local folder?
Hi @munang ,
as I said, the best approach is to manage all Forwarders (Universal and Heavy) using the Deployment Server.
It's a best practive to manage with the DS all the inputs (in apps), but also other configurations as outputs.conf (addressing the Indexers) or deploymentclient.conf (addressing the Deployment Server).
The problem is that DS can mange only conf files in the $SPLUNK_HOME/etc/apps folder, so it cannot manage conf files in $SPLUNK_HOME/etc/system/local.
It's important to manage all Forwarders using the DS especially when you have very many of them, and all configurations: e.g. if you have to add an Indexer or change the DS: if you have these conf files in a custom app, you can easily change them by the DS, if instead they are in $SPLUNK_HOME/etc/system/local, you have to manualy update them.
I usually create a custom app (called e.g. TA_Forwarders) containing three conf files:
Ciao.
Giuseppe
Hi
I don’t know why those inputs and outputs conf are placed to different places with same splunk cli command. Maybe someone from splunk dev can tell that.
It’s a best practice to use/create your own apps to collect configurations of one app/issue to one place. Then you could/should put it into git and get version control on place. You could also utilize deployment server/manager node/deployer tp distribute it to correct places. You cannot use those tools with files under etc/system/local.
r. Ismo
Hi @munang,
the command is always the same (splunk) bt the action is a different action, recorded ina different conf file:
In other words, the "splunk add" command updates a conf file, but the updated conf file depends on the object to update (inputs, outputs and so on).
I hope to be sufficiently clear.
Anyway, instead of using CLI commands, that writes updated in the $SPLUNK_HOME/etc/system/local folder, make your updates directly in the conf files in dedicated apps in $SPLUNK_HOME/etc/apps/<your_app>/local, so you can manage them using the Deployment Server (DS cannot manage conf files in $SPLUNK_HOME/etc/system/local).
Ciao.
Giuseppe