hi all,
I have a file that i want to monitor on the Heavy Forwarder HF which is the Deployment Server DS at the same time.
Since a deployment server cannot be a client of itself I place the manually created app to
/opt/splunk/etc/apps/appname/default/inputs.conf
Now after i reconfigure the inputs. After some time the updated gets randomly removed again. As if it is a deployed app.
My question now. What is the best practice to monitor local files on a HF/DS?
Best,
O.
Any app in the /etc/apps directory would not be affected from the forwarder management side of things. The issue is more than likely that you are setting your configs in the $splunk_home/etc/apps/appname/default/.. directory. When you create a base config/app, your configs need to live in the /appname/local/*.conf directory. This lets Splunk know that these are custom configs and should not be changed. Additionally, make sure that you dont have any affecting stanzas matching your inputs files. Check with btool if there are any inputs taking precedence before your config:
splunk btool inputs list <stanza> --debug
A deployment server being a client of itself is not supported but is possible. Check to be certain that you you don't have deploymentclient.conf set on the DS under $SPLUNK_HOME/etc/system/local/