Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Why is the Search and Reporting default overwritten during start up?

sarahafrin
Explorer
‎10-08-2018 02:41 AM

The default folder under SPLUNK_HOME/etc/apps/search has been overwritten and all my changes are now in a default.old./ folder. Now, my Search and Reporting app is invisible. This has caused an outage for all settings also. I can only see apps.conf in this new default folder which has the following contents:
[install]
install_source_checksum =

This new default folder is not even owned by the unix group Splunk but by the unix group 'user'.

If i try to delete this new default folder, rename default.old. to default and restart Splunk daemon, it does not work. The default gets overwritten again with the same problem.

Can anyone help in understanding what might be causing this?

0 Karma
Reply

woodcock
Esteemed Legend
‎10-08-2018 03:31 PM

The documentation, training, and file headers are quite clear. You should never, ever, EVER modify ANYTHING inside of Splunk's default directories. If you do, you are breaking your install and ensuring upgrade problems. Create a local (in this case, SPLUNK_HOME/etc/apps/search/local/ and put your changes there. To be fair, not all files have warnings (and each should) but, for example, the commands.conf file in $SPLUNK_HOME/etc/apps/search/default/ starts with these lines:

#   Version 7.1.1
# DO NOT EDIT THIS FILE!
# Please make all changes to files in $SPLUNK_HOME/etc/system/local.
# To make changes, copy the section/stanza you want to change from $SPLUNK_HOME/etc/system/default
# into ../local and edit there.

Other files say it like this:

# Version 7.0.3
# DO NOT EDIT THIS FILE!
# Changes to default files will be lost on update and are difficult to
# manage and support.
# Please make any changes to system defaults by overriding them in
# apps or $SPLUNK_HOME/etc/system/local
# (See "Configuration file precedence" in the web documentation).
# To override a specific setting, copy the name of the stanza and
# setting to the file where you wish to override it.
# This file contains possible attributes and values you can use to
# configure inputs, distributed inputs and file system monitoring.
0 Karma
Reply

gjanders
SplunkTrust
SplunkTrust
‎10-08-2018 02:50 PM

Do you have this server connecting to a deployment server? And is the deployment server sending out a search application?

Another possibility is a search head cluster pushing out the search application, however a search head cluster will not push out default applications unless a particular switch is used...(note that when a search head restarts it would re-download the current config from the deployer in this scenario).

-
Alerts for Splunk Admins, Version Control for Splunk, Decrypt2 VersionControl For SplunkCloud
0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Splunkbase Unveils New App Listing Management Public Preview

Splunkbase Unveils New App Listing Management Public PreviewWe're thrilled to announce the public preview of ...

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Boston may be buzzing this September with Splunk University and .conf25, but you don’t have to pack a bag to ...