SPLUNK INPUTS.CONF HOW TO
There are two questions here: (1) why are you seeing that error message, and (2) how to achieve the desired behaviour you're hoping to achieve that you're trying to express through your Deployment and ConfigMap. This is instead of the passing an environment variable directly like I did in the origin code: SPLUNK_FORWARD_SERVER: splunk-receiver:9997įull setup of the forwarder.yaml: apiVersion: apps/v1 In a similar way, the outputs: block will resemble the following: The inputs: section will produce the a nf with the following content: conf postfix (Remember that the sub block start with conf:) which be owned by the correct Splunk user and group. This setup will generate two files with a. Monitor:///opt/splunk/var/log/syslog-logs: Then, We'll go to the splunk: block and add a config: sub block under it: splunk: We'll start the docker container with a default.yml file which will be mounted in /tmp/defaults/default.yml.įor that, we'll create the default.yml file with: docker run splunk/splunk:latest create-defaults >. Instead of mounting the configuration file directly inside the /opt/splunk/etc directory we'll use the following setup: The error specified in the my question reflect that splunk failed to manipulate all the relevant files in the /opt/splunk/etc directory because of the change in the mounting mechanism. When Splunk boots, it registers all the config files in various locations on the filesystem under $ which is in our case /opt/splunk. This change is since v1.9.4 and can lead to issues for various applications which chown or otherwise manipulate their configs. So this PR change makes it so that containers cannot write to secret, configMap, downwardAPI and projected volumes since the runtime will now mount them as read-only. This is the cause of failure.īased on the direction pointed out by I'll try also to give a full solution. Splunk_common : Set target version fact - 0.04sĭetermine captaincy - 0.04sĮRROR: Couldn't read "/opt/splunk/etc/nf" - maybe $SPLUNK_HOME or $SPLUNK_ETC is set wrong?Įdit #2: Adding config map to the code (was removed from the original question for the sake of brevity).
SPLUNK INPUTS.CONF UPGRADE
Splunk_common : Setting upgrade fact - 0.04s Splunk_common : Set docker fact - 0.04sĮxecute pre-setup playbooks - 0.04s
SPLUNK INPUTS.CONF INSTALL
Splunk_common : Set splunk install fact - 0.04s
Splunk_common : Set current version fact - 0.04s Splunk_common : Set privilege escalation user - 0.04s Splunk_common : Set first run fact - 0.04s Minikube version: Upgraded from v0.33.1 to v1.2.0.įull error log: $kubectl logs -l tier=splunk Saw this on Splunk forum but the answer did not help in my case. SPLUNK_START_ARGS: -accept-license -answer-yes
I've tested the image with the following docker configuration - and it ran successfully: version: '3.2' I tried to add also this env variables - with no success: - name: SPLUNK_HOME MountPath: /opt/splunk/etc/system/local/nf My Splunk deployment: apiVersion: apps/v1
$SPLUNK_HOME or $SPLUNK_ETC is set wrong? I'm using this Splunk image on Kubernetes (testing locally with minikube).Īfter applying the code below I'm facing the following error:ĮRROR: Couldn't read "/opt/splunk/etc/nf" - maybe
0 kommentar(er)
