Re: inputs.conf gets overwritten on HF/DS

ojay · ‎06-30-2021

hi all,

I have a file that i want to monitor on the Heavy Forwarder HF which is the Deployment Server DS at the same time.

Since a deployment server cannot be a client of itself I place the manually created app to

/opt/splunk/etc/apps/appname/default/inputs.conf

Now after i reconfigure the inputs. After some time the updated gets randomly removed again. As if it is a deployed app.

My question now. What is the best practice to monitor local files on a HF/DS?

Best,

O.

hoaxm3 · ‎07-03-2021

Any app in the /etc/apps directory would not be affected from the forwarder management side of things. The issue is more than likely that you are setting your configs in the $splunk_home/etc/apps/appname/default/.. directory. When you create a base config/app, your configs need to live in the /appname/local/*.conf directory. This lets Splunk know that these are custom configs and should not be changed. Additionally, make sure that you dont have any affecting stanzas matching your inputs files. Check with btool if there are any inputs taking precedence before your config:

splunk btool inputs list <stanza> --debug

codebuilder · ‎07-02-2021

A deployment server being a client of itself is not supported but is possible. Check to be certain that you you don't have deploymentclient.conf set on the DS under $SPLUNK_HOME/etc/system/local/

----
An upvote would be appreciated and Accept Solution if it helps!

inputs.conf gets overwritten on HF/DS

inputs.conf

universal forwarder

Index This | When is October more than just the tenth month?

Observe and Secure All Apps with Splunk

What’s New & Next in Splunk SOAR

Are you a member of the Splunk Community?