Hello and good afternoon.
I did run into the following issue and was wondering if anybody experienced the same and/or probably even has a solution:
The Splunk Indexer and Forwarder we have are on these versions: *Splunk 7.1.2 (build a0c72a66db66)*, *Splunk Universal Forwarder 7.1.2 (build a0c72a66db66)*. The OS on both hosts is *CentOS Linux release 7.5.1804*
In the GUI we configured (as admin user) for the Forwarder under **Data inputs | Forwarded inputs | Files & directories** certain entries. They are written on the Forwarder into file */opt/splunkforwarder/etc/apps/_server_app_SERVERCLASS1/local/inputs.conf*, with *SERVERCLASS1* being the Server Class.
Entries in the Forwarders *inputs.conf* look, after adding them through the GUI, for instance like this:
[monitor:///home/donald.duck/splunk_upload_dir/my_app1/*syslogs.log.txt]
disabled = 0
index = my_app1_index
sourcetype = my_app1_sourcetype
blacklist = \.filepart$
host = server1
[monitor:///home/goo.fey/splunk_upload_dir/my_app2/*applogs.log.txt]
disabled = 0
index = my_app2_index
sourcetype = my_app2_sourcetype
blacklist = \.filepart$
host = server2
In our environment however, the need arose to add also the ***crcSalt =*** entry for each section on the Forwarders *inputs.conf* file. Otherwise all source files won't be indexed properly or rather "won't be displayed as Sources" I should say.
So in respect to the above examples, the file looks afterwards like follows:
[monitor:///home/donald.duck/splunk_upload_dir/my_app1/*disney1.log.txt]
blacklist = \.filepart$
disabled = 0
index = my_app1_index
sourcetype = my_app1_sourcetype
host = server1
crcSalt =
[monitor:///home/goo.fey/splunk_upload_dir/my_app2/*disney2.log.txt]
blacklist = \.filepart$
disabled = 0
index = my_app2_index
sourcetype = my_app2_sourcetype
host = server2
crcSalt =
The ***crcSalt*** entry however, only can be made through the command line on OS level and not through the GUI.
As it turned out however, whenever a change is made in the GUI through **Data inputs | Forwarded inputs | Files & directories** to --any-- of these entries there and saved, --all-- the ***crcSalt*** entries in the *inputs.conf* file on the Forwarder disappear and manually will have to be re-done.
In my opinion this is not user friendly, a usual GUI-user might wonder why all of a sudden the indexed files won't show up as sources in the GUI anymore, not to mention a usual GUI user does not necessarily have access to command line level at all, to re-do the ***crcSalt*** entries.
----
Making on the other hand changes through **Data inputs | Local inputs | Files & directories**, so for the Indexer instead, through the GUI, does not remove ***"crcSalt"*** entries on the relevant *inputs.conf* file on the Indexer, e.g. under */opt/splunk/etc/apps/my_app1/local/inputs.conf*.
Any ideas?
Many thanks in advance for the feedback and help.
With best regards
Ingo Bahn.