Configure application directories

Configure application directories

Application directories are individual directories placed in $SPLUNK_HOME/etc/system/ or $SPLUNK_HOME/etc/apps/. Each directory must contain at least one configuration file to be considered an application directory. Examples and spec files for every configuration file live in $SPLUNK_HOME/etc/system/README/.

Note: Restart your Splunk server to apply any changes you make to the configuration files. Changes to how Splunk processes index data do not affect data that is already indexed.

Make an application directory

Make configuration changes in the local directory ($SPLUNK_HOME/etc/system/local). To create a new application, make a directory in $SPLUNK_HOME/etc/apps/. Name the directory anything you like, but it is a good idea to make the name functionally descriptive. There can be many application directories on a server.

To get started with configuration changes, use example configuration files from $SPLUNK_HOME/etc/system/README/. Copy the sample configuration file into your target directory. It's a good idea to try out configuration changes on a test system (see best practices section).

Step-by-step configuration file changes

1. Copy the .example configuration file from ../README to your test location.

1. Edit the file to fit your data -- double-check file syntax and logic.

1. When you are ready, change the file extension to .conf (eg remove the .example).

1. Restart Splunk.

1. If the modifications you just did involve re-indexing data, you should run the following CLI commands:

# ./splunk stop

# ./splunk clean eventdata (only if this is a test system!)

# ./splunk start

1. Check that your changes had the desired effect.

Best practice

For a single Splunk server, it is easiest to keep all configuration files in the $SPLUNK_HOME/etc/system/local directory.

Caution: Splunk Web writes to ../local/. So if you edit configuration files in ../local/, your edits may be overwritten if someone else edits Splunk Web at the same time. Thus, if you have many users who make changes in Splunk Web, it is a good idea to create a custom directory for any configuration files you edit directly.

Also, you may want to create different directories for different configurations. For example, create one application for inputs. To do this, create a directory in $SPLUNK_HOME/etc/apps/ called inputs and copy in your own inputs.conf.

For a distributed Splunk deployment, you can copy existing configurations on your local Splunk server to any remote Splunk server. This is most easily achieved using the Splunk deployment server. However, if you just make a few simple changes and have a small number of servers, you can simply copy your configurations to each of your instances.

Never make configuration changes in $SPLUNK_HOME/etc/system/default. These changes will be overwritten during an upgrade.

It is a good idea to make a back up of the original before making any changes. If your configuration does not work as expected, you can reinstate the back up.

Test configurations

As with any application, it is unwise to make changes on a production server without testing. When you have a change to make to a configuration, test it on another server which has a sample of the data you are configuring.

• Was this topic useful?
• Post a comment