Bundle best practice
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Contents
Bundle best practice
For a single Splunk server, it may be best to keep all configuration files in the $SPLUNK_HOME/etc/bundles/local directory. However, you can create different directories for different configurations. For example, one bundle can be created for inputs. To do this, create a directory in $SPLUNK_HOME/etc/bundles/ called inputs and copy in your own inputs.conf.
For a distributed Splunk deployment, you can copy bundles that have already been created on your local Splunk server to any remote Splunk server. This is most easily achieved using the Splunk deployment server. However, if you just make a few simple changes and have a small number of servers, you can simply copy your bundle to each of your instances.
Never make configuration changes in $SPLUNK_HOME/etc/bundles/default. These changes will be overwritten during an upgrade.
When copying or editing configuration files, it is best to make a back up of the original before making any changes. This way, if your bundle is not working as expected, you can reinstate the back up.
Testing bundles
As with any application, it is unwise to make changes on a production server without testing. When you have a change to make to a configuration, you should test it on another server which has a sample of the data you are configuring.
This documentation applies to the following versions of Splunk: 3.0 , 3.0.1 , 3.0.2 , 3.1 , 3.1.1 , 3.1.2 , 3.1.3 , 3.1.4 View the Article History for its revisions.