Getting Data In

crcSalt entries getting deleted on Forwarders inputs.conf, when changing Forwarder Data Inputs through GUI

ingobahn
New Member

Hello and good afternoon.

I did run into the following issue and was wondering if anybody experienced the same and/or probably even has a solution:

The Splunk Indexer and Forwarder we have are on these versions: Splunk 7.1.2 (build a0c72a66db66), Splunk Universal Forwarder 7.1.2 (build a0c72a66db66). The OS on both hosts is CentOS Linux release 7.5.1804

In the GUI we configured (as admin user) for the Forwarder under Data inputs | Forwarded inputs | Files & directories certain entries. They are written on the Forwarder into file /opt/splunkforwarder/etc/apps/_server_app_SERVERCLASS1/local/inputs.conf, with SERVERCLASS1 being the Server Class.

Entries in the Forwarders inputs.conf look, after adding them through the GUI, for instance like this:

[monitor:///home/donald.duck/splunk_upload_dir/my_app1/*syslogs.log.txt]
disabled = 0
index = my_app1_index
sourcetype = my_app1_sourcetype
blacklist = \.filepart$
host = server1

[monitor:///home/goo.fey/splunk_upload_dir/my_app2/*applogs.log.txt]
disabled = 0
index = my_app2_index
sourcetype = my_app2_sourcetype
blacklist = \.filepart$
host = server2

In our environment however, the need arose to add also the crcSalt = entry for each section on the Forwarders inputs.conf file. Otherwise all source files won't be indexed properly or rather "won't be displayed as Sources" I should say.

So in respect to the above examples, the file looks afterwards like follows:

[monitor:///home/donald.duck/splunk_upload_dir/my_app1/*disney1.log.txt]
blacklist = \.filepart$
disabled = 0
index = my_app1_index
sourcetype = my_app1_sourcetype
host = server1
crcSalt = <SOURCE>

[monitor:///home/goo.fey/splunk_upload_dir/my_app2/*disney2.log.txt]
blacklist = \.filepart$
disabled = 0
index = my_app2_index
sourcetype = my_app2_sourcetype
host = server2
crcSalt = <SOURCE>

The crcSalt entry however, only can be made through the command line on OS level and not through the GUI.
As it turned out however, whenever a change is made in the GUI through Data inputs | Forwarded inputs | Files & directories to --any-- of these entries there and saved, --all-- the crcSalt entries in the inputs.conf file on the Forwarder disappear and manually will have to be re-done.

In my opinion this is not user friendly, a usual GUI-user might wonder why all of a sudden the indexed files won't show up as sources in the GUI anymore, not to mention a usual GUI user does not necessarily have access to command line level at all, to re-do the crcSalt entries.


Making on the other hand changes through Data inputs | Local inputs | Files & directories, so for the Indexer instead, through the GUI, does not remove "crcSalt" entries on the relevant inputs.conf file on the Indexer, e.g. under /opt/splunk/etc/apps/my_app1/local/inputs.conf.

Any ideas?

Many thanks in advance for the feedback and help.

With best regards

Ingo Bahn.

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi ingobahn,
maybe I'm old but I usually manage inputs.conf in Forwarders using Deployment Server and not the GUI!
In other words i suggest to create a Technical Add-On (TA) on your Splunk Enterprise Server putting your inputs.conf in an App and then deploy it to your forwarder following instructions at https://docs.splunk.com/Documentation/Splunk/7.1.2/Updating/Deploymentserverarchitecture .

Bye.
Giuseppe

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...