Getting Data In
Highlighted

crcSalt entries getting deleted on Forwarders inputs.conf, when changing Forwarder Data Inputs through GUI

New Member

Hello and good afternoon.

I did run into the following issue and was wondering if anybody experienced the same and/or probably even has a solution:

The Splunk Indexer and Forwarder we have are on these versions: Splunk 7.1.2 (build a0c72a66db66), Splunk Universal Forwarder 7.1.2 (build a0c72a66db66). The OS on both hosts is CentOS Linux release 7.5.1804

In the GUI we configured (as admin user) for the Forwarder under Data inputs | Forwarded inputs | Files & directories certain entries. They are written on the Forwarder into file /opt/splunkforwarder/etc/apps/serverapp_SERVERCLASS1/local/inputs.conf, with SERVERCLASS1 being the Server Class.

Entries in the Forwarders inputs.conf look, after adding them through the GUI, for instance like this:

[monitor:///home/donald.duck/splunk_upload_dir/my_app1/*syslogs.log.txt]
disabled = 0
index = my_app1_index
sourcetype = my_app1_sourcetype
blacklist = \.filepart$
host = server1

[monitor:///home/goo.fey/splunk_upload_dir/my_app2/*applogs.log.txt]
disabled = 0
index = my_app2_index
sourcetype = my_app2_sourcetype
blacklist = \.filepart$
host = server2

In our environment however, the need arose to add also the crcSalt = entry for each section on the Forwarders inputs.conf file. Otherwise all source files won't be indexed properly or rather "won't be displayed as Sources" I should say.

So in respect to the above examples, the file looks afterwards like follows:

[monitor:///home/donald.duck/splunk_upload_dir/my_app1/*disney1.log.txt]
blacklist = \.filepart$
disabled = 0
index = my_app1_index
sourcetype = my_app1_sourcetype
host = server1
crcSalt = <SOURCE>

[monitor:///home/goo.fey/splunk_upload_dir/my_app2/*disney2.log.txt]
blacklist = \.filepart$
disabled = 0
index = my_app2_index
sourcetype = my_app2_sourcetype
host = server2
crcSalt = <SOURCE>

The crcSalt entry however, only can be made through the command line on OS level and not through the GUI.
As it turned out however, whenever a change is made in the GUI through Data inputs | Forwarded inputs | Files & directories to --any-- of these entries there and saved, --all-- the crcSalt entries in the inputs.conf file on the Forwarder disappear and manually will have to be re-done.

In my opinion this is not user friendly, a usual GUI-user might wonder why all of a sudden the indexed files won't show up as sources in the GUI anymore, not to mention a usual GUI user does not necessarily have access to command line level at all, to re-do the crcSalt entries.


Making on the other hand changes through Data inputs | Local inputs | Files & directories, so for the Indexer instead, through the GUI, does not remove "crcSalt" entries on the relevant inputs.conf file on the Indexer, e.g. under /opt/splunk/etc/apps/my_app1/local/inputs.conf.

Any ideas?

Many thanks in advance for the feedback and help.

With best regards

Ingo Bahn.

0 Karma
Highlighted

Re: crcSalt entries getting deleted on Forwarders inputs.conf, when changing Forwarder Data Inputs through GUI

Legend

Hi ingobahn,
maybe I'm old but I usually manage inputs.conf in Forwarders using Deployment Server and not the GUI!
In other words i suggest to create a Technical Add-On (TA) on your Splunk Enterprise Server putting your inputs.conf in an App and then deploy it to your forwarder following instructions at https://docs.splunk.com/Documentation/Splunk/7.1.2/Updating/Deploymentserverarchitecture .

Bye.
Giuseppe

0 Karma