Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

inputs.conf gets overwritten on HF/DS

ojay
Path Finder
‎06-30-2021 05:47 AM

hi all,

I have a file that i want to monitor on the Heavy Forwarder HF which is the Deployment Server DS at the same time.

Since a deployment server cannot be a client of itself I place the manually created app to 

/opt/splunk/etc/apps/appname/default/inputs.conf

Now after i reconfigure the inputs. After some time the updated gets randomly removed again. As if it is a deployed app.

My question now. What is the best practice to monitor local files on a HF/DS? 

 

Best,

O.

Labels (2)
0 Karma
Reply

hoaxm3
Path Finder
‎07-03-2021 09:23 AM

Any app in the /etc/apps directory would not be affected from the forwarder management side of things. The issue is more than likely that you are setting your configs in the $splunk_home/etc/apps/appname/default/.. directory. When you create a base config/app, your configs need to live in the /appname/local/*.conf directory. This lets Splunk know that these are custom configs and should not be changed. Additionally, make sure that you dont have any affecting stanzas matching your inputs files. Check with btool if there are any inputs taking precedence before your config:

splunk btool inputs list <stanza> --debug

0 Karma
Reply

codebuilder
Influencer
‎07-02-2021 12:58 PM

A deployment server being a client of itself is not supported but is possible. Check to be certain that you you don't have deploymentclient.conf set on the DS under $SPLUNK_HOME/etc/system/local/

----
An upvote would be appreciated and Accept Solution if it helps!
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Event Series: Telemetry Pipeline Management

Balancing Scale and Spend: Gaining Control Over High-Volume Metrics in Splunk Observability Cloud As ...

Kick the Tires Before You Commit: A Hands-On Tour of the Splunk Observability Cloud ...

Evaluating an enterprise observability platform usually goes like this: fill out a form, get a free trial with ...

Deep insights, no barriers: Splunk Observability Cloud Free Edition

As software delivery cycles continue to accelerate, observability shouldn’t be a luxury — it should be a ...