Configuration Files

This documentation does not apply to the most recent version of Splunk. Click here for the latest version.

How Bundles Work
Typical Uses
Example files

Configuration Files

A bundle is a small directory of files that contains one or more configuration files that together configure the Splunk Server for a specific site or standard environment. Bundles must be placed into a Splunk installations as subdirectories of the $SPLUNK_HOME/etc/bundles directory.

Your Splunk Server already has two bundles installed:

default - this is the pre-configured version of the files listed below.
local - this set of configuration files stores many modifications you make through the web interface or command line.
- data input configuration
- saved splunks & live splunks
- future releases will move more configuration into the local bundle.

How Bundles Work

When splunkd starts, it walks through the subdirectories of the bundles directory in this order.

local

This subdirectory is where admins should add local configuration additions and changes. Local bundles override all other settings.

All other subdirectories (except learned and default)

These subdirectories are presumed to be user-added bundles. They're loaded in alphabetical order.

default

These are the bundles shipped by Splunk.

learned

These are settings created by the Splunk Server as it trains on incoming data. Learned configurations take lowest priority after all human-specified settings.

Within each subdirectory, splunkd looks for and loads each of these three files.

inputs.conf

Data inputs - files, network ports, etc.

props.conf

Processing properties - time zones, breaking characters, etc.

regexes.conf

Regular expressions for use by the properties defined in props.conf.

Typical Uses

Bundles can configure any part of splunkd that you can configure through the splunkweb GUI or command line, as well as more advanced processing parameters.

Data input

For example, to turn on a specific TCP port and assign a sourcetype to any data accessed from it.

Processing properties

Customized configurations for specific sources, source types, or hosts.

Regular expressions

Regexes for identifying event boundaries, setting meta data attributes, and performing transformations.

Saved and Live Splunks

Custom Splunks meant for searching a specific set of data, such as Weblogic logs.

Example files

The Splunk Server ships with several files that demonstrate how to create bundle configurations.

$SPLUNK_HOME/etc/bundles/
- inputs.conf.spec
- props.conf.spec
- regexex.conf.spec
$SPLUNK_HOME/etc/bundles/local/
- inputs.conf.example
- props.conf.example
- regexes.conf.example

Retrieved from "http://docs.splunk.com/Documentation/Splunk/2.2.6/Admin/ConfigurationFiles"

« Define Search-Time Report Fields inputs.conf - Configure data inputs »

This documentation applies to the following versions of Splunk: 2.1 , 2.2 , 2.2.1 , 2.2.3 , 2.2.6 View the Article History for its revisions.

Was this topic useful?
Post a comment

You must be logged into splunk.com in order to post comments. Log in now.

Was this documentation topic helpful?

If you'd like to hear back from us, please provide your email address:

We'd love to hear what you think about this topic or the documentation as a whole. Feedback you enter here will be delivered to the documentation team.

Admin Manual

Configuration Files

Contents

Configuration Files

How Bundles Work

Typical Uses

Example files

Comments