Can't force overwrite when using splunk.conf defined files in default.yml

[daaain]

trafficstars

I'm trying to get a heavy forwarder going with a Postgres connection, pre-configured to send data to a Spunk Cloud instance.

Eventually I need this to run in Kubernetes, but for now just trying to get it all going with a local postgres container in postgres network.

I got things up and running, but couldn't find a way to force overwrite of an existing conf file which gets installed as part of the DB Connect app, but needs to be updated from the default.

Is there a way to make this work?

The only workaround I found so far was to create the conf files and mount as volume which doesn't seem to get overwritten by the app installer luckily (see commented out bit in Docker Compose file below).

Docker Compose file:

version: "3.6"

# Apps installed from SplunkBase:
# 1. JDBC Add-on for Postgres: https://splunkbase.splunk.com/app/6152
# 2. DB Connect: https://splunkbase.splunk.com/app/2686

services:
  heavyforwarder:
    image: ${SPLUNK_IMAGE:-splunk/splunk:latest}
    hostname: heavyforwarder
    container_name: heavyforwarder
    environment:
      - SPLUNK_START_ARGS=--accept-license
      - SPLUNK_APPS_URL=https://splunkbase.splunk.com/app/6152/release/1.1.0/download,https://splunkbase.splunk.com/app/2686/release/3.9.0/download
      - SPLUNKBASE_USERNAME=myuser
      - SPLUNKBASE_PASSWORD=verysafepassword
      - SPLUNK_PASSWORD=verysafepassword
      - SPLUNK_ROLE=splunk_heavy_forwarder
      - JAVA_VERSION=openjdk:11
      - DEBUG=true
    ports:
      - 8000:8000
    expose:
      - 8000
    networks:
      - ${DOCKER_NETWORK:-shared}
    volumes:
      - ${PWD}/default.yml:/tmp/defaults/default.yml
      # Workaround: have the actual conf files mounted
      # - ${PWD}/config/splunk_app_db_connect:/opt/splunk/etc/apps/splunk_app_db_connect/local

networks:
  shared:
    external:
      name: postgres

default.yml (other config files removed for brevity)

---
splunk:
  conf:
    - key: db_connect_app
      value:
        directory: /opt/splunk/etc/apps/splunk_app_db_connect/local/app.conf
        content:
          install:
            is_configured: 1

Error message:

heavyforwarder    | TASK [splunk_common : Create /opt/splunk/etc/apps/splunk_app_db_connect/local/app.conf directory] ***
heavyforwarder    | fatal: [localhost]: FAILED! => {
heavyforwarder    |     "changed": false,
heavyforwarder    |     "gid": 41812,
heavyforwarder    |     "group": "splunk",
heavyforwarder    |     "mode": "0600",
heavyforwarder    |     "owner": "splunk",
heavyforwarder    |     "path": "/opt/splunk/etc/apps/splunk_app_db_connect/local/app.conf",
heavyforwarder    |     "size": 28,
heavyforwarder    |     "state": "file",
heavyforwarder    |     "uid": 41812
heavyforwarder    | }
heavyforwarder    | 
heavyforwarder    | MSG:
heavyforwarder    | 
heavyforwarder    | /opt/splunk/etc/apps/splunk_app_db_connect/local/app.conf already exists as a file
heavyforwarder    | 

[neil-wwt]

I think there are some issues with default.yml in this case

key should be the name of the conf file. So key: app to modify app.conf

directory should be the directory where the file will be found/created. So just the .../local/ path in this case.

That should cause the container start up process to merge/overwrite whatever you specify in content: with whatever is already there due to the Splunk start up. I'm not sure where this logic exists, but that's what I've observed.