HI All, I want to forward the log data using Splunk Universal forwarder to a specific index of Splunk Indexer. I am running UF and Splunk Indexer inside a docker container. I am able to achieve this by modifying the inputs.conf file of UF after the container is started. [monitor::///app/logs]
index = logs_data But, after making this change, I have to RESTART my UF container. I want to ensure when my UF starts, it should send the data to "logs_data" index by default (assuming this index is present in the Splunk Indexer) I tried overriding the default inputs.conf by mounting the locally created inputs.conf to its location Below is the snippet of how I am creating the UF container splunkforwarder:
image: splunk/universalforwarder:8.0
hostname: splunkforwarder
environment:
- SPLUNK_START_ARGS=--accept-license --answer-yes
- SPLUNK_STANDALONE_URL=splunk:9997
- SPLUNK_ADD=monitor /app/logs
- SPLUNK_PASSWORD=password
restart: always
depends_on:
splunk:
condition: service_healthy
volumes:
- ./inputs.conf:/opt/splunkforwarder/etc/system/local/inputs.conf But, I am getting some weird error while container is trying to start. An exception occurred during task execution. To see the full traceback, use -vvv. The error was: OSError: [Errno 16] Device or resource busy: b'/opt/splunkforwarder/etc/system/local/.ansible_tmpnskbxfddinputs.conf' -> b'/opt/splunkforwarder/etc/system/local/inputs.conf'
fatal: [localhost]: FAILED! => {
"changed": false
}
MSG:
Unable to make /home/splunk/.ansible/tmp/ansible-moduletmp-1710787997.6605148-qhnktiip/tmpvjrugxb1 into to /opt/splunkforwarder/etc/system/local/inputs.conf, failed final rename from b'/opt/splunkforwarder/etc/system/local/.ansible_tmpnskbxfddinputs.conf': [Errno 16] Device or resource busy: b'/opt/splunkforwarder/etc/system/local/.ansible_tmpnskbxfddinputs.conf' -> b'/opt/splunkforwarder/etc/system/local/inputs.conf' Looks like, some process is trying to access the inputs.conf while its getting overridden. Can someone please help me solve this issue? Thanks
... View more
