Getting Data In

inputs.conf gets overwritten on HF/DS

ojay
Path Finder

hi all,

I have a file that i want to monitor on the Heavy Forwarder HF which is the Deployment Server DS at the same time.

Since a deployment server cannot be a client of itself I place the manually created app to 

/opt/splunk/etc/apps/appname/default/inputs.conf

Now after i reconfigure the inputs. After some time the updated gets randomly removed again. As if it is a deployed app.

My question now. What is the best practice to monitor local files on a HF/DS? 

 

Best,

O.

Labels (2)
0 Karma

hoaxm3
Path Finder

Any app in the /etc/apps directory would not be affected from the forwarder management side of things. The issue is more than likely that you are setting your configs in the $splunk_home/etc/apps/appname/default/.. directory. When you create a base config/app, your configs need to live in the /appname/local/*.conf directory. This lets Splunk know that these are custom configs and should not be changed. Additionally, make sure that you dont have any affecting stanzas matching your inputs files. Check with btool if there are any inputs taking precedence before your config:

splunk btool inputs list <stanza> --debug

0 Karma

codebuilder
Influencer

A deployment server being a client of itself is not supported but is possible. Check to be certain that you you don't have deploymentclient.conf set on the DS under $SPLUNK_HOME/etc/system/local/

----
An upvote would be appreciated and Accept Solution if it helps!
0 Karma
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Best Practices: Splunk auto adjust pipeline queue

When you enable autoAdjustQueue in Splunk, maxSize should be understood as the queue size Splunk starts with ...

Request for Professional Development: Attending .conf26

Winning Over the Boss: Your Pass to .conf26 conf26 is going to be here before you know it. If don't already ...