I have an environment where I want to use apps like Splunk for Nix, but have the logs go to different indexes.
Splunk_TA_nix/default/inputs.conf:
[monitor:///var/log]
whitelist=(\.log|log$|messages|secure|auth|mesg$|cron$|acpid$|\.out)
blacklist=(lastlog|anaconda\.syslog)
index=os
disabled = 1
I don't want the default inputs.conf to have index=os. I want to set the index in another app and be able to upgrade the app without messing with the default inputs.conf of Splunk for Nix each time. For example...
serverclass.conf:
[serverClass:TEST1]
whitelist.0 = 1.1.1.1
[serverClass:TEST1:app:TEST1-IndexConfig]
[serverClass:TEST2]
whitelist.0 = 2.2.2.2
[serverClass:TEST2:app:TEST2-IndexConfig]
TEST1-IndexConfig default inputs.conf
[default]
index=test1
TEST2-IndexConfig default inputs.conf
[default]
index=test2
Am I going to be stuck commenting out all the "index=" in the defaults each time I want to upgrade the app? Or can I specify in the local confs to ignore the default conf attribute and respect the [default] in my other app?
↧