Splunk: README folder of application

Under each Splunk application there is a folder name d”README” … there are something behind it.

It’s common sense that it’s just a documentation folder, it’s not critical, we can get rid of it.

oh no, Splunk uses that folder to check the input parameters for your application. If you remove that folder, all your input modular will not work. Splunk does not show any error in the log.

There are some files in this folder such as inputs.conf.spec. , Splunk read this file to know which script it should run when splunk starts.

It took me 3 days to figure out this. one of my splunk team mate removed this folder. We didn’t see anything in log, i had to start writing my own splunk modular input to debug the issue.

Leave a Reply

Your email address will not be published. Required fields are marked *