Documentation > Splunk > Developing Dashboards, Views, and Apps for Splunk Web > How Bundles Work

Developing Dashboards, Views, and Apps for Splunk Web

 


Start Here
Command Line Interface
SOAP API
Bundles
Modules
Skins
Workflow Integration
Search Language
Built-In Processors

How Bundles Work

This documentation does not apply to the most recent version of Splunk. Click here for the latest version.

Contents

How Bundles Work

Bundles add configuration to splunkd. A bundle is a small directory of files that contains one or more configuration files that together configure the Splunk Server for a specific site or standard environment. Bundles must be placed into a Splunk installations as subdirectories of the $SPLUNK_HOME/etc/bundles directory.


Startup

When splunkd starts, it walks through the subdirectories of the bundles directory in this order:


local : This subdirectory is where admins should add local configuration additions and changes. Local bundles override all other settings.


All other subdirectories execept learned and default : These subdirectories are presumed to be user-added bundles. They're loaded in alphabetical order.


default : These are the bundles shipped by Splunk.


learned : These are settings created by the Splunk Server as it trains on incoming data. Learned configurations take lowest priority after all human-specified settings.


Within each subdirectory, splunkd looks for and loads each of these files.


auth.conf : Authentication settings


inputs.conf : Data inputs - files, network ports, etc.


props.conf : Processing properties - time zones, breaking characters, etc.


regexes.conf : Regular expressions for use by the properties defined in props.conf.


livesplunks.conf, savedsplunks.conf : Live Splunks and their associated Saved Splunks


Typical Uses

Bundles can configure any part of splunkd that you can configure through the splunkweb GUI or command line, as well as more advanced processing parameters.


Authentication : Configuring your selected authentication scheme, such as LDAP


Data input : For example, to turn on a specific TCP port and assign a sourcetype to any data accessed from it.


Processing properties : Customized configurations for specific sources, source types, or hosts.


Regular expressions : Regexes for identifying event boundaries, setting meta data attributes, and performing transformations.


Saved and Live Splunks : Custom Splunks meant for searching a specific set of data, such as Weblogic logs.


Example files

The Splunk Server ships with several files that demonstrate how to create bundle configurations.


$SPLUNK_HOME/etc/bundles/


$SPLUNK_HOME/etc/bundles/local/


Bundles may use wide range of possible configuration options and the *.conf files themselves are very tolerant of syntax errors. This means splunkd cannot differentiate between your desired configuration and the many possible variations that, while technically correct, are not what you intended. Test your bundle configurations carefully to ensure the correct results.

Retrieved from "http://docs.splunk.com/Documentation/Splunk/2.2/Developer/HowBundlesWork"

This documentation applies to the following versions of Splunk: 2.1 , 2.2 , 2.2.1 , 2.2.3 , 2.2.6 View the Article History for its revisions.


You must be logged into splunk.com in order to post comments. Log in now.

Was this documentation topic helpful?

If you'd like to hear back from us, please provide your email address:

We'd love to hear what you think about this topic or the documentation as a whole. Feedback you enter here will be delivered to the documentation team.