I wanted to change "Allowed Domains" field under Server Settings -> Email settings.

When I do it using website I get following log in audit.log:

"changes":[{"stanza":"email","properties":[{"name":"allowedDomainList","new_value":"domain1.sk","old_value":""},

When new application is installed I can see following log line saying that value is changing:

"changes":[{"stanza":"email","properties":[{"name":"allowedDomainList","new_value":"domain2.sk","old_value":""},

But difference is, that if value is changed using deployment application, I don't see accurate change on website - Allowed Domains is empty.

How would you do this?

Restart didn't help.

Login to any of those servers and use 

splunk btool alert_actions list --debug

In this way you see from which file each setting is coming.

I’m not sure, but there could be some settings in this config which are working only from …/system/local or at least that was case on older versions (6.x and 7.x)?
r. Ismo

Hello

Thank you for your answer. I tried your command and I have got:

root@MSVMSLMCLM01:/opt/splunk/bin# ./splunk btool alert_actions list --debug | grep allowed
/opt/splunk/etc/apps/setSplunkCommonConfig/default/alert_actions.conf allowedDomainList = domain.sk
root@MSVMSLMCLM01:/opt/splunk/bin# ./splunk btool alert_actions list --debug | grep from
/opt/splunk/etc/apps/setSplunkCommonConfig/default/alert_actions.conf from = splunk@domain.sk

So this looks like settings are used from correct file, file from pushed application. But when I check web on this machine, those values are empty:

Any idea?

You are absolutely right. Splunk ran under root account. I have changed it already, but it didn't help.

Normal universal forwarders works great, only Splunk servers don't change configuration. But I will handle it using ../local/ files as you suggested.

Thank you,

Nope. Is it neccesary to restart splunkd?