Splunk Enterprise

Need help excluding etc/system/local/inputs.conf from being replicated across the search cluster

gazoscreek
Path Finder

I recently issued a "splunk set default-hostname <hostname>" on a new node I added to our search cluster. It ended up replicating etc/system/local/inputs.conf to all other members, so obviously, all search members began logging their events with the same 'host' field.

So, if I want to avoid this in the future,  how do I leverage conf_replication_summary.excludelist to blacklist the file from replication?

I'm thinking that it'd be something like this, but I really don't know as I've never used this flag before.

[shclustering]
conf_replication_summary.excludelist.inputs = etc[/\\]system[/\\]local[/\\]inputs\.conf


Thank you.

Labels (2)
0 Karma

PickleRick
SplunkTrust
SplunkTrust

Are you actually sure that this was what caused your issue? Inputs shouldn't replicate by default AFAIR.

0 Karma

gazoscreek
Path Finder

Almost positive ...

There are a few Enterprise Security helper apps ( like SA-IdentityManagement ) that as delivered come with:

( cat SA-IdentityManagement/default/inputs.conf )

[shclustering]

conf_replication_include.distsearch = true
conf_replication_include.inputs = true
conf_replication_include.identityLookup = true

I believe that's in some way responsible for this ... but I have no clue as to why this (and several other helper apps) are coming with [shclustering] blocks in an inputs.conf

0 Karma

PickleRick
SplunkTrust
SplunkTrust

Ok. This makes sense. Unfortunately. ES does some wacky things by running "inputs".

0 Karma

dural_yyz
Builder

Doing that to the Search Heads can cause more troubles than it's worth.  Best to backtrack that change.

Then opt for a transforms.conf option to rewrite the host field value.

[hostname-override]
SOURCE_KEY = MetaData:Host
REGEX = .
FORMAT = host::$HOSTNAME
0 Karma
Get Updates on the Splunk Community!

Federated Search for Amazon S3 | Key Use Cases to Streamline Compliance Workflows

Modern business operations are supported by data compliance. As regulations evolve, organizations must ...

New Dates, New City: Save the Date for .conf25!

Wake up, babe! New .conf25 dates AND location just dropped!! That's right, this year, .conf25 is taking place ...

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...