Getting Data In

When I edit inputs.conf and outputs.conf using the cli command, is there a reason why the paths to the modified files ar

munang
Path Finder

If I use the command ./splunk add monitor /var/log,

-> /splunk/etc/apps/search/local/inputs.conf file will be modified.

However, if I use the command ./splunk add forward-server a.a.a.a:9997,

-> /splunk/etc/system/local/outputs.conf is modified.

 

Why are both the same cli tasks, but one modifies the file under the search app and the other modifies the system file?

Even considering the priority of the conf configuration file, both are GLOBAL CONTEXT, so I think they should both be placed under the System folder.

 

My question may be inappropriate or may have some shortcomings. I would really appreciate your advice.

0 Karma
1 Solution

gcusello
SplunkTrust
SplunkTrust

Hi @munang,

the command is always the same (splunk) bt the action is a different action, recorded ina different conf file:

  • ./splunk add monitor /var/log adda new input and inputs are recorded in the inputs.conf file,
  • ./splunk add forward-server a.a.a.a:9997 ad a new destination and it's recorded in outputs.conf.

In other words, the "splunk add" command updates a conf file, but the updated conf file depends on the object to update (inputs, outputs and so on).

I hope to be sufficiently clear.

Anyway, instead of using CLI commands, that writes updated in the $SPLUNK_HOME/etc/system/local folder, make your updates directly in the conf files in dedicated apps in $SPLUNK_HOME/etc/apps/<your_app>/local, so you can manage them using the Deployment Server (DS cannot manage conf files in $SPLUNK_HOME/etc/system/local).

Ciao.

Giuseppe

View solution in original post

munang
Path Finder

@gcusello 

 

Hello. Thank you very much for your kind reply.

May I ask one more question?

I understood what you were saying to mean that it is more appropriate to directly update the .conf file under $SPLUNK_HOME/etc/apps/<your_app>/local and manage it as a distribution server rather than using the add command.

Is there a reason why you don't recommend writing to the $SPLUNK_HOME/etc/system/local folder?

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @munang ,

as I said, the best approach is to manage all Forwarders (Universal and Heavy) using the Deployment Server.

It's a best practive to manage with the DS all the inputs (in apps), but also other configurations as outputs.conf (addressing the Indexers) or deploymentclient.conf (addressing the Deployment Server).

The problem is that DS can mange only conf files in the $SPLUNK_HOME/etc/apps folder, so it cannot manage conf files in $SPLUNK_HOME/etc/system/local.

It's important to manage all Forwarders using the DS especially  when you have very many of them, and all configurations: e.g. if you have to add an Indexer or change the DS: if you have these conf files in a custom app, you can easily change them by the DS, if instead they are in $SPLUNK_HOME/etc/system/local, you have to manualy update them.

I usually create a custom app (called e.g. TA_Forwarders) containing three conf files:

  • app.conf: describing the name and the purpose of the app,
  • outputs.conf: addressing the Indexers,
  • deploymentclient.conf: addressin g the Deployment Server.

Ciao.

Giuseppe

0 Karma

isoutamo
SplunkTrust
SplunkTrust

Hi

I don’t know why those inputs and outputs conf are placed to different places with same splunk cli command. Maybe someone from splunk dev can tell that.
It’s a best practice to use/create your own apps to collect configurations of one app/issue to one place. Then you could/should put it into git and get version control on place. You could also utilize deployment server/manager node/deployer tp distribute it to correct places. You cannot use those tools with files under etc/system/local.

r. Ismo

gcusello
SplunkTrust
SplunkTrust

Hi @munang,

the command is always the same (splunk) bt the action is a different action, recorded ina different conf file:

  • ./splunk add monitor /var/log adda new input and inputs are recorded in the inputs.conf file,
  • ./splunk add forward-server a.a.a.a:9997 ad a new destination and it's recorded in outputs.conf.

In other words, the "splunk add" command updates a conf file, but the updated conf file depends on the object to update (inputs, outputs and so on).

I hope to be sufficiently clear.

Anyway, instead of using CLI commands, that writes updated in the $SPLUNK_HOME/etc/system/local folder, make your updates directly in the conf files in dedicated apps in $SPLUNK_HOME/etc/apps/<your_app>/local, so you can manage them using the Deployment Server (DS cannot manage conf files in $SPLUNK_HOME/etc/system/local).

Ciao.

Giuseppe

Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...