Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

inputs.conf gets overwritten on HF/DS

ojay
Path Finder
‎06-30-2021 05:47 AM

hi all,

I have a file that i want to monitor on the Heavy Forwarder HF which is the Deployment Server DS at the same time.

Since a deployment server cannot be a client of itself I place the manually created app to 

/opt/splunk/etc/apps/appname/default/inputs.conf

Now after i reconfigure the inputs. After some time the updated gets randomly removed again. As if it is a deployed app.

My question now. What is the best practice to monitor local files on a HF/DS? 

 

Best,

O.

Labels (2)
0 Karma
Reply

hoaxm3
Path Finder
‎07-03-2021 09:23 AM

Any app in the /etc/apps directory would not be affected from the forwarder management side of things. The issue is more than likely that you are setting your configs in the $splunk_home/etc/apps/appname/default/.. directory. When you create a base config/app, your configs need to live in the /appname/local/*.conf directory. This lets Splunk know that these are custom configs and should not be changed. Additionally, make sure that you dont have any affecting stanzas matching your inputs files. Check with btool if there are any inputs taking precedence before your config:

splunk btool inputs list <stanza> --debug

0 Karma
Reply

codebuilder
Influencer
‎07-02-2021 12:58 PM

A deployment server being a client of itself is not supported but is possible. Check to be certain that you you don't have deploymentclient.conf set on the DS under $SPLUNK_HOME/etc/system/local/

----
An upvote would be appreciated and Accept Solution if it helps!
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Hello Splunkers,   So you searched, “what is the name of the usb key inserted by bob smith?”  Not gonna lie… ...

Automating Threat Operations and Threat Hunting with Recorded Future

    Automating Threat Operations and Threat Hunting with Recorded Future June 29, 2026 | Register   Is your ...