Documentation > Splunk > Admin Manual > Configure bundles

Admin Manual

 


Getting Started
How Splunk Works
Configuring a Splunk Deployment
Data Inputs
Hosts
Source Types
Timestamp Recognition
Events
Event Types
Meta Events
Fields
Segmentation
Saved Searches and Alerts
Authentication
Granular Access Control
Data Distribution
Distributed Search
Deployment Server
Index Management
Bundles
SplunkBase
Performance Tuning
Routine Maintenance
How-To
Troubleshooting
Reference

Configure bundles

This documentation does not apply to the most recent version of Splunk. Click here for the latest version.

Contents

Configure bundles

Bundles are individual directories place in $SPLUNK_HOME/etc/bundles/. Each directory should contain at least one configuration file to be considered a bundle. Once the configuration file is placed in the bundle directory, Splunk will adapt to the new configurations. Many examples and spec files exist in $SPLUNK_HOME/etc/bundles/README.


Please note: some bundles may require a Splunk restart to take effect. Any changes to how Splunk processes indexed data will not affect data that is already indexed.


Making a bundle

You can make configuration changes in a new bundle or in the local bundle directory. To create a new bundle, make a new bundle directory under $SPLUNK_HOME/etc/bundles/. You can name the directory anything you like, but it is a good idea to make the name functionally descriptive. There can be many bundle directories on a server. Changes to configurations can also be made in the $SPLUNK_HOME/etc/bundles/local directory.


To get started with configuration changes, you can use example configuration files from $SPLUNK_HOME/etc/bundles/README directory. Copy the sample configuration file into your target directory, giving it a name that indicates that it is a work in progress, for example, props.conf.wip. This prevents Splunk from acting on the configuration file before you are ready. In fact, it is best to do configuration changes on a test system (see best practices section).


Steps to making bundle changes

  1. Copy an existing .conf file to your test location - give it a file extension other than .conf while you are editing.
  1. Make the changes and double-check file syntax and logic.
  1. When you are ready, change the file extension back to .conf
  1. Restart Splunk
  1. If the modifications you just did involve re-indexing data, you should run the following CLI commands: 
# splunk stop



# splunk clean eventdata (only if this is a test system!)



# splunk start


  1. Check to see if your modification had the desired effect. If not, go back to step one.
Retrieved from "http://docs.splunk.com/Documentation/Splunk/3.1.1/Admin/ConfigureBundles"

This documentation applies to the following versions of Splunk: 3.1 , 3.1.1 , 3.1.2 , 3.1.3 , 3.1.4 View the Article History for its revisions.


You must be logged into splunk.com in order to post comments. Log in now.

Was this documentation topic helpful?

If you'd like to hear back from us, please provide your email address:

We'd love to hear what you think about this topic or the documentation as a whole. Feedback you enter here will be delivered to the documentation team.

Feedback submitted, thanks!