Configuration Files
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Contents
Configuration Files
A bundle is a small directory of files that contains one or more configuration files that together configure the Splunk Server for a specific site or standard environment. Bundles must be placed into a Splunk installations as subdirectories of the $SPLUNK_HOME/etc/bundles directory.
Your Splunk Server already has two bundles installed:
- default - this is the pre-configured version of the files listed below.
- local - this set of configuration files stores many modifications you make through the web interface or command line.
- data input configuration
- saved splunks & live splunks
- future releases will move more configuration into the local bundle.
How Bundles Work
When splunkd starts, it walks through the subdirectories of the bundles directory in this order.
- local
This subdirectory is where admins should add local configuration additions and changes. Local bundles override all other settings.
- All other subdirectories (except learned and default)
These subdirectories are presumed to be user-added bundles. They're loaded in alphabetical order.
- default
These are the bundles shipped by Splunk.
- learned
These are settings created by the Splunk Server as it trains on incoming data. Learned configurations take lowest priority after all human-specified settings.
Within each subdirectory, splunkd looks for and loads each of these three files.
- inputs.conf
Data inputs - files, network ports, etc.
- props.conf
Processing properties - time zones, breaking characters, etc.
- regexes.conf
Regular expressions for use by the properties defined in props.conf.
Typical Uses
Bundles can configure any part of splunkd that you can configure through the splunkweb GUI or command line, as well as more advanced processing parameters.
- Data input
For example, to turn on a specific TCP port and assign a sourcetype to any data accessed from it.
- Processing properties
Customized configurations for specific sources, source types, or hosts.
- Regular expressions
Regexes for identifying event boundaries, setting meta data attributes, and performing transformations.
- Saved and Live Splunks
Custom Splunks meant for searching a specific set of data, such as Weblogic logs.
Example files
The Splunk Server ships with several files that demonstrate how to create bundle configurations.
- $SPLUNK_HOME/etc/bundles/
- inputs.conf.spec
- props.conf.spec
- regexex.conf.spec
- $SPLUNK_HOME/etc/bundles/local/
- inputs.conf.example
- props.conf.example
- regexes.conf.example
This documentation applies to the following versions of Splunk: 2.1 , 2.2 , 2.2.1 , 2.2.3 , 2.2.6 View the Article History for its revisions.