Splunk Enterprise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Need help excluding etc/system/local/inputs.conf from being replicated across the search cluster

gazoscreek
Path Finder
‎09-03-2024 12:39 PM

I recently issued a "splunk set default-hostname <hostname>" on a new node I added to our search cluster. It ended up replicating etc/system/local/inputs.conf to all other members, so obviously, all search members began logging their events with the same 'host' field.

So, if I want to avoid this in the future,  how do I leverage conf_replication_summary.excludelist to blacklist the file from replication?

I'm thinking that it'd be something like this, but I really don't know as I've never used this flag before.

[shclustering]
conf_replication_summary.excludelist.inputs = etc[/\\]system[/\\]local[/\\]inputs\.conf


Thank you.

Labels (2)
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎09-13-2024 12:24 PM

Are you actually sure that this was what caused your issue? Inputs shouldn't replicate by default AFAIR.

0 Karma
Reply

gazoscreek
Path Finder
‎09-13-2024 12:45 PM

Almost positive ...

There are a few Enterprise Security helper apps ( like SA-IdentityManagement ) that as delivered come with:

( cat SA-IdentityManagement/default/inputs.conf )

[shclustering]

conf_replication_include.distsearch = true
conf_replication_include.inputs = true
conf_replication_include.identityLookup = true

I believe that's in some way responsible for this ... but I have no clue as to why this (and several other helper apps) are coming with [shclustering] blocks in an inputs.conf

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎09-13-2024 02:34 PM

Ok. This makes sense. Unfortunately. ES does some wacky things by running "inputs".

0 Karma
Reply

dural_yyz
Builder
‎09-13-2024 10:17 AM

Doing that to the Search Heads can cause more troubles than it's worth.  Best to backtrack that change.

Then opt for a transforms.conf option to rewrite the host field value.

[hostname-override]
SOURCE_KEY = MetaData:Host
REGEX = .
FORMAT = host::$HOSTNAME
0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...