Splunk Enterprise

Question on a Splunk Searchhead app and distsearch.conf

skirven
Communicator

Hi! I am looking to try to standardize my configuration across my Search Head Cluster. I have 15 Search Heads, and what I am looking to to is move my etc/system/local configs to a searchhead app (let's call it etc/apps/searchhead). 

 

Looking at my files, most of them should be fine, but I was wondering about the syntax for the distsearch.conf lookups. What I have now is like: lkp1 = apps/idm_search/lookups/lkpInterceptAttempt.csv

Would that same path find the file when the file is in /opt/splunk/etc/apps/searchhead/distsearch.conf? Or do I have to be more explicit about it's location?

Thanks!
Stephen

Labels (1)
0 Karma

skirven
Communicator

Bump. Also, I've been researching this, and it looks like it's best practice just to put it in $SPLUNK_HOME/etc/system/local? What's the best practice to keep that up to date? I was hoping to be able to have all of the configurations pushed from the deployer once it's been connected?

Any insight would be appreciated!
Stephen

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

(view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...