Documentation > Splunk > Admin Manual > Where to find the configuration files

Admin Manual

 


Welcome
What to do first
Start Splunk
Meet Splunk Web and Splunk Apps
Before you configure
Add data and configure inputs
Indexing and event processing
Timestamps
Add and manage users
Manage indexes
Define alerts
Set up backups and retention policies
Configure data security
Set up forwarding and receiving
Deploy to other Splunk instances
Set up distributed search
Manage search jobs
Use Splunk's command line interface (CLI)
Configuration file reference
Troubleshooting

Where to find the configuration files

This documentation does not apply to the most recent version of Splunk. Click here for the latest version.

Contents

Where to find the configuration files

When you install Splunk, a set of default configuration files (ending in .conf) is created in $SPLUNK_HOME/etc/system/default/. Examples and specifications (ending in .spec and .example) for each configuration file are contained in $SPLUNK_HOME/etc/system/README/.

To learn more about using configuration files, read "About configuration files" in this manual.

Some configuration files are not created by default--if you want to enable the feature they manage, you must create the configuration file yourself. These configuration files still have .spec and .example files for you to review.

Configuration files and apps

If you make a change that gets written to a configuration file while you're in an app, that change is written to a copy of the relevant configuration file in that app's system local directory: $SPLUNK_HOME/etc/apps/<App_name>/local/<configurationfile>.conf. If you want to edit a configuration file such that the change only applies to a certain app, make a copy of that file in the local directory for that app and make your changes there.

List of configuration files, and what's in them

The following is an up-to-date list of the available spec and example files associated with each conf file. Some conf files do not have spec or example files; contact Support before editing a conf file that does not have an accompanying spec or example file.

Important: Do not edit the default copy of any conf file in $SPLUNK_HOME/etc/system/default/. Make a copy of the file in $SPLUNK_HOME/etc/system/local/ and edit that copy. Splunk will look in $SPLUNK_HOME/etc/system/local/ first when looking for configurations and will use your edited file if it finds it.

FilePurpose
alert_actions.confCustomize Splunk's global alerting actions.
app.confSet up fields for your custom app.
audit.confConfigure auditing and event hashing.
authentication.confToggle between Splunk's built-in authentication or LDAP. Configure LDAP.
authorize.confConfigure roles, including granular access controls.
commands.confConnect search commands to any custom search script.
deploymentclient.confSpecify behavior for clients of the deployment server.
distsearch.confSpecify behavior for distributed search.
eventdiscoverer.confSet terms to ignore for typelearner (event discovery).
eventtypes.confCreate event type definitions.
fields.confCreate multivalue fields and add search capability for indexed fields.
indexes.confManage and configure index settings.
inputs.confSet up data inputs.
limits.confSet various limits (such as maximum result size) for search commands.
literals.confCustomize the text displayed in Splunk Web.
macros.confDefine search language macros.
multikv.confConfigure extraction rules for table-like events (ps, netstat, ls).
outputs.confSet up forwarding, routing, cloning, and load balancing.
procmon-filters.confMonitor Windows process data.
props.confSet indexing property configurations, including timezone offset and custom sourcetype rules. Also map transforms to event properties.
pubsub.confDefine a custom client of the deployment server.
regmonfilters.confCreate filters for Windows registry monitoring.
restmap.confConfigure REST endpoints.
savedsearches.confDefine saved searches and their associated schedules and alerts.
segmenters.confCustomize segmentation rules for indexed events.
server.confEnable SSL for Splunk's back-end and specify certification locations.
serverclass.confDefine deployment server classes for use with deployment server.
sourceclassifier.confTerms to ignore (such as sensitive data) when creating a sourcetype.
sourcetypes.confMachine-generated file that stores sourcetype learning rules created by sourcetype training.
sysmon.confSet up Windows registry monitoring.
tags.confConfigure tags for fields.
tenants.confConfigure deployments in multi-tenant environments.
times.confDefine custom time ranges for use in the Search app.
transactiontypes.confAdd additional transaction types for transaction search.
transforms.confConfigure regex transformations to perform on data inputs. Use in tandem with props.conf.
user_seed.confSet a default user and password.
web.confConfigure Splunk Web, enable HTTPs.
wmi.confSet up Windows management instrumentation (WMI) inputs.
Retrieved from "http://docs.splunk.com/Documentation/Splunk/4.0.4/Admin/Wheretofindtheconfigurationfiles"

This documentation applies to the following versions of Splunk: 4.0 , 4.0.1 , 4.0.2 , 4.0.3 , 4.0.4 , 4.0.5 , 4.0.6 , 4.0.7 , 4.0.8 , 4.0.9 , 4.0.10 , 4.0.11 View the Article History for its revisions.


You must be logged into splunk.com in order to post comments. Log in now.

Was this documentation topic helpful?

If you'd like to hear back from us, please provide your email address:

We'd love to hear what you think about this topic or the documentation as a whole. Feedback you enter here will be delivered to the documentation team.