Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Admin Other
- :
- Installation
- :
- Why does inputs.conf change look fine outside doc...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi folks.
I posted here recently exploring how to automatically add an index when docker-compose is bringing up the splunk container. That post is at https://forums.docker.com/t/add-an-entrypoint-and-command-without-messing-up-the-invocation/123686
I had it working, but it no longer does, and I somewhat-suspect a docker volume problem as well as somewhat-suspect a permissions issue, and also somewhat suspect an OS upgrade. But I really don't know what the problem is.
Inside the splunk container, I see:
[root@splunk splunk]# cat /opt/splunk/etc/apps/splunk_httpinput/local/inputs.conf
[http]
disabled = 0
[http://splunk_hec_token]
disabled = 0
token = really-big-token-thingie
Which is really not what I want.
And outside the splunk container (on the MacOS side), I see:
$ cat splunk-files/opt-splunk-etc-apps-splunk_httpinput-local/inputs.conf
cmd output started 2022 Mon May 02 04:19:43 PM PDT
[http]
disabled = 0
[http://splunk_hec_token]
disabled = 0
token = really-big-token-thingie
index = dev_game-publishing
That is what I want.
In my docker-compose, I have (among other things) :
volumes:
- ./splunk-files/opt-splunk-etc-apps-splunk_httpinput-local/ /opt/splunk/etc/apps/splunk_httpinput/local/
(That long volume line is all-one-line. It may or may not be wrapping when you view it, though it is wrapping in this editor)
I tried both setting up a volume for the entire directory, as well as just that one file. I'm hearing that doing an entire directory tends to be more reliable, but both failed the same way.
The directory containing the file is owned by splunk and has restrictive permissions:
[ansible@splunk splunk]$ cat /opt/splunk/etc/apps/splunk_httpinput/local/inputs.conf
cat: /opt/splunk/etc/apps/splunk_httpinput/local/inputs.conf: Permission denied
[ansible@splunk splunk]$ ls -l /opt/splunk/etc/apps/splunk_httpinput/
total 12
drwxr-xr-x 2 splunk splunk 4096 Jan 15 03:31 default
drwx------ 2 splunk splunk 4096 May 2 22:14 local
drwx------ 2 splunk splunk 4096 May 2 22:14 metadata
[ansible@splunk splunk]$
Which explains why the ansible user can't cat it. But is ansible painting itself into a corner and preventing itself from making all the changes I need?
I also upgraded from MacOS 11.x to 12.3 in between when this was working, and when it stopped. I don't know if that's related or not.
I have next to no Splunk and even less Ansible.
Thanks for any and all suggestions!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It turned out my volume spec was off.
I had source dest, where I needed source:dest.
Why docker-compose didn't complain, I have no idea.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It turned out my volume spec was off.
I had source dest, where I needed source:dest.
Why docker-compose didn't complain, I have no idea.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
[Puzzles] Solve, Learn, Repeat: Matching cron expressions
Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass
May 2026 Splunk Expert Sessions: Security & Observability
