Splunk Enterprise
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

the contents of inputs.conf get reset.

tt-nexteng
Path Finder
‎03-02-2025 10:11 PM

I am running a Splunk Indexer on Docker in an EC2 instance. I use the following Compose file to start the service. However, every time I restart the EC2 instance, the contents of inputs.conf get reset.

 

 

version: "3.6"

networks:
  splunknet:
    driver: bridge
    attachable: true

volumes:
  splunk-var:
    external: true
  splunk-etc:
    external: true

services:
  splunk:
    networks:
      splunknet:
        aliases:
          - splunk
    image: xxxxxx.dkr.ecr.ap-northeast-1.amazonaws.com/splunk/splunk:latest
    container_name: splunk
    restart: always
    environment:
      - SPLUNK_START_ARGS=--accept-license
      - SPLUNK_PASSWORD=password
    ports:
      - "80:8000"
      - "9997:9997"
    volumes:
      - splunk-var:/opt/splunk/var
      - splunk-etc:/opt/splunk/etc

 

 

 

The following is my conf.

 

 

[splunktcp-ssl:9997]
disabled = 0

[SSL]
serverCert = /opt/splunk/etc/auth/mycerts/myCombinedServerCertificate.pem
sslPassword = password
requireClientCert = false

 

 

 

 

 

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

livehybrid
SplunkTrust
SplunkTrust
‎03-02-2025 11:12 PM

Hi @tt-nexteng 

How are you loading your inputs.conf into the Docker image? Are you adding directly into the container once it has started up? Splunk Ansible runs each time the container starts, therefore the container is fairly idempotent and will apply the configuration defined in default.yml / docker-compose ENV variables when started.

Check out https://splunk.github.io/docker-splunk/ADVANCED.html for some configuration options you might want to look at to persist the inputs.conf - Specifically the section around enabling SSL as this has the config for inputs on port 9997 too!
https://splunk.github.io/docker-splunk/ADVANCED.html#:~:text=distributed%2C%20containerized%20enviro...

 

Sample default.yml snippet to configure Splunk TCP with SSL:

splunk:
  ...
  s2s:
    ca: /mnt/certs/ca.pem
    cert: /mnt/certs/cert.pem
    enable: true
    password: abcd1234
    port: 9997
    ssl: true
  ...

Please let me know how you get on and consider adding karma to this or any other answer if it has helped.
Regards

Will

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

livehybrid
SplunkTrust
SplunkTrust
‎03-02-2025 11:12 PM

Hi @tt-nexteng 

How are you loading your inputs.conf into the Docker image? Are you adding directly into the container once it has started up? Splunk Ansible runs each time the container starts, therefore the container is fairly idempotent and will apply the configuration defined in default.yml / docker-compose ENV variables when started.

Check out https://splunk.github.io/docker-splunk/ADVANCED.html for some configuration options you might want to look at to persist the inputs.conf - Specifically the section around enabling SSL as this has the config for inputs on port 9997 too!
https://splunk.github.io/docker-splunk/ADVANCED.html#:~:text=distributed%2C%20containerized%20enviro...

 

Sample default.yml snippet to configure Splunk TCP with SSL:

splunk:
  ...
  s2s:
    ca: /mnt/certs/ca.pem
    cert: /mnt/certs/cert.pem
    enable: true
    password: abcd1234
    port: 9997
    ssl: true
  ...

Please let me know how you get on and consider adding karma to this or any other answer if it has helped.
Regards

Will

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Register for .conf25!
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

 Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What's New in Splunk Observability - August 2025

What's New We are excited to announce the latest enhancements to Splunk Observability Cloud as well as what is ...

Introduction to Splunk AI

How are you using AI in Splunk? Whether you see AI as a threat or opportunity, AI is here to stay. Lucky for ...