I have 3 search heads in a search head cluster, and I'm having some issues with building the outputs.conf files to them. I have 2 outputs.conf files I'd like to use. One is deployed via a deployer and ultimately resides on the search heads in the `/etc/apps/deployed_app/default` folder, and is used for general outputs.conf config. The other is to reside in the `/etc/system/local` folder and only has the following configuration:
[tcpout:my_search_peers]
sslPassword = password value
For some reason, a rogue outputs.conf file is getting auto created at the `/etc/apps/deployed_app/local` folder which has the same configuration as the `etc/system/local` outputs.conf file, except it salts the password value, meaning that this outputs.conf file is the active sslPassword value for the [tcpout:mysearch_peers] stanza of the search head. This rogue outputs.conf file does not exist in the `shcluster/apps/deployed_app` folder or subfolders of the deployed app, and if I delete the outputs.conf file in the `/etc/apps/deployed_app/local` on all search heads and then restart Splunk on each one, the file is recreated. I have tried modifying the outputs.conf file in `etc/system/local` on the search head to see if it's the source of the one in `/etc/apps/deployed_app/local`, but it did not pull in the changes I made to the `etc/system/local` file. I'm looking for potential causes and solutions to removing the rogue outputs.conf file on the search heads.
Thanks
↧