HI All, I want to forward the log data using Splunk Universal forwarder to a specific index of Splunk Indexer.
I am running UF and Splunk Indexer inside a docker container.

I am able to achieve this by modifying the inputs.conf file of UF after the container is started.

[monitor::///app/logs]
index = logs_data

But, after making this change, I have to RESTART my UF container. 

I want to ensure when my UF starts, it should send the data to "logs_data" index by default (assuming this index is present in the Splunk Indexer)

I tried overriding the default inputs.conf by mounting the locally created inputs.conf to its location

  splunkforwarder:
    image: splunk/universalforwarder:8.0
    hostname: splunkforwarder
    environment:
      - SPLUNK_START_ARGS=--accept-license --answer-yes
      - SPLUNK_STANDALONE_URL=splunk:9997
      - SPLUNK_ADD=monitor /app/logs
      - SPLUNK_PASSWORD=password
    restart: always
    depends_on:
      splunk:
        condition: service_healthy
    volumes:
      - ./inputs.conf:/opt/splunkforwarder/etc/system/local/inputs.conf

But, I am getting some weird error while container is trying to start.

An exception occurred during task execution. To see the full traceback, use -vvv. The error was: OSError: [Errno 16] Device or resource busy: b'/opt/splunkforwarder/etc/system/local/.ansible_tmpnskbxfddinputs.conf' -> b'/opt/splunkforwarder/etc/system/local/inputs.conf'
fatal: [localhost]: FAILED! => {
    "changed": false
}

MSG:

Unable to make /home/splunk/.ansible/tmp/ansible-moduletmp-1710787997.6605148-qhnktiip/tmpvjrugxb1 into to /opt/splunkforwarder/etc/system/local/inputs.conf, failed final rename from b'/opt/splunkforwarder/etc/system/local/.ansible_tmpnskbxfddinputs.conf': [Errno 16] Device or resource busy: b'/opt/splunkforwarder/etc/system/local/.ansible_tmpnskbxfddinputs.conf' -> b'/opt/splunkforwarder/etc/system/local/inputs.conf'​