Splunk Dev

How to preserve all configured data inputs when upgrading a custom app using Splunk Add-on Builder?

benhooper
Communicator

I've found that upgrading a custom app built with Splunk Add-on Builder is clearing all configured data inputs. Is there a way to prevent this?

2020-08-26 10-43-41 - Settings__Splunk_-_Google_Chrome.png2020-08-26 10-44-44 - Inputs_-_Google_Chrome.png2020-08-26 10-45-38 - Settings__Splunk_-_Google_Chrome.png2020-08-26 10-47-02 - Settings__Splunk_-_Google_Chrome.png2020-08-26 10-47-23 - Inputs_-_Google_Chrome.png

Labels (3)
0 Karma

benhooper
Communicator

BUMP.

0 Karma

rnowitzki
Builder

Hi @benhooper ,

My guess is, that the definitions / .conf files were stored in the ./default directory of the app and not ./local, so they were overwritten when the app was updated.

BR 
Ralph

--
Karma and/or Solution tagging appreciated.
0 Karma

benhooper
Communicator

Hi @rnowitzki

Good idea but I've just checked and found that this configuration is stored in file /opt/splunk/etc/apps/<app name>/local/inputs.conf.

Thanks,

Ben.

0 Karma

rnowitzki
Builder

Hi @benhooper,

Hmm, ok. Is it stored in ./local within structure of the tar.gz of the app? That would be against the law 🙂

Or do you mean, the inputs.conf is still there in the filesystem, but you don't see it in the gui?

BR
Ralph

--
Karma and/or Solution tagging appreciated.

benhooper
Communicator

Hi @rnowitzki

My previous message was in regards to where the active, correct configuration is stored.

Your message led me to look inside the archive and I found that, by default, the file <appName>_<appVersion>_export.tgz/<appName>_<appVersion>_export.tgz/<appName>/local/inputs.conf exists and contains the default / generic config. Simply deleting that file from the archive solves the problem because it can't be used to overwrite the live file.

Thanks!

0 Karma

benhooper
Communicator

Bonus points to anyone who can tell me how I can prevent these files from being exported in the first place! It's a nuisance having to manually remove them every time I export.

0 Karma

rnowitzki
Builder

Hi @benhooper ,

You mean to prevent that the inputs.conf of the tar.gz overwrites the inputs.conf of the App?

The problem is with the archive itself, it should not have any inputs.conf in ./local. It should deliver its inputs.conf in the ./default directory. That way it would extract the new copy, but the app would still use the one in ./local because of conf file precedence rules.

Where is the app coming from?

BR
Ralph

--
Karma and/or Solution tagging appreciated.
0 Karma

benhooper
Communicator

Hi @rnowitzki ,

The app is being exported from the Splunk Add-on Builder.

Thanks,

Ben.

0 Karma
Get Updates on the Splunk Community!

Understanding Generative AI Techniques and Their Application in Cybersecurity

Watch On-Demand Artificial intelligence is the talk of the town nowadays, with industries of all kinds ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Using the Splunk Threat Research Team’s Latest Security Content

REGISTER HERE Tech Talk | Security Edition Did you know the Splunk Threat Research Team regularly releases ...