How do configuration files work?

How do configuration files work?

Most of Splunk's advanced configurations are affected via configuration files. A bundle directory is a directory of one or more configuration files. The majority of Splunk's functionality can be set up through configuration files in any number of bundle directories. Learn more about bundle configuration, including best practices.

All bundles are housed in $SPLUNK_HOME/etc/bundles/. Bundles can be separated based on functionality, or collapsed into a single subdirectory containing each user-crafted configuration file. Bundles make packaging customizations easy. Once you have created a working bundle for a single Splunk server, you can then distribute it to target servers through the Splunk deployment server or share them with others through SplunkBase.

Configuration file directory structure

Configuration file directories are placed into a Splunk installation as subdirectories of $SPLUNK_HOME/etc/bundles/. Your Splunk Server ships with several such directories, including:

• default - contains the pre-configured configuration files. Do not modify the files in default.

Note: Not all configuration files appear in default/.

• local - stores modifications you make through the web interface or command line. You can make file edits here, or in a custom bundle directory.

Note: If you edit files that are also written to by Splunk Web, your edits may be overridden if someone else is editing Splunk Web at the same time.

• learned - this set of configurations are settings created by the Splunk Server as it trains on incoming data.
• readme - this directory contains example and spec configuration files that can help you create your own configuration files. For each configuration file, there are two reference files; .spec and .example. For example, inputs.conf.spec and inputs.conf.example. The .spec file is a specification of syntax, including which attributes and variables are available. The .example files are helpful examples of real-world usage. These files are all found in the $SPLUNK_HOME/etc/bundles/README directory.

Configuration file precedence

Configuration files live in multiple places: default, local and any configuration file directories you create. It is possible for an attribute to exist in more than one file. The evaluation order of configuration files is:

• local
• user-created directories
  • these are evaluated in alphabetical order
• default

Precedence is applied attribute-by-attribute. That is, if the file props.conf exists in local and a user created configuration file directory, the props.conf file in local does not override or replace the entire props.conf file. If the same attribute/specification exists in both the local props.conf and the user-created props.conf, the local props.conf overrides the attribute.

For example, if $SPLUNK_HOME/etc/bundles/local/props.conf contains this stanza:

[source::/opt/Locke/Logs/error*]
sourcetype = t2rss-error

And $SPLUNK_HOME/etc/bundles/t2rss_bundle/props.conf contains this stanza:

[source::/opt/Locke/Logs/error*]
SHOULD_LINEMERGE = True
BREAK_ONLY_BEFORE_DATE = True

Both the sourcetype assignment in local and the line merging attributes in t2rss_bundle apply. However, if both local and t2rss_bundle had a sourcetype assignment for source::/opt/Locke/Logs/error*, the assignment in local overrides t2rss_bundle.

Precedence rules for events with multiple attribute assignments

Beyond the rules discussed above for precedence, there is an additional precedence issue that affects the props.conf file alone. props.conf sets attributes for processing individual events by host, source or sourcetype (and sometimes eventtype). So it's possible for one event to have the same attribute set differently for its host, source or sourcetype. The precedence order is:

• source
• host
• sourcetype

• Was this topic useful?
• Post a comment