Splunk® Enterprise

Admin Manual

Download manual as PDF

This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

List of configuration files

The following is a list of some of the available spec and example files associated with each conf file. Some conf files do not have spec or example files; contact Support before editing a conf file that does not have an accompanying spec or example file.

Caution: Do not edit the default copy of any conf file in $SPLUNK_HOME/etc/system/default/. See How to edit a configuration file.

File Purpose
alert_actions.conf Create an alert.
app.conf Configure app properties
audit.conf Configure auditing and event hashing. This feature is not available for this release.
authentication.conf Toggle between Splunk's built-in authentication or LDAP, and configure LDAP.
authorize.conf Configure roles, including granular access controls.
checklist.conf Customize monitoring console health check.
collections.conf Configure KV Store collections for apps.
commands.conf Connect search commands to any custom search script.
crawl.conf Configure crawl to find new data sources.
datamodels.conf Attribute/value pairs for configuring data models.
default.meta.conf Set permissions for objects in a Splunk app.
deploymentclient.conf Specify behavior for clients of the deployment server.
distsearch.conf Specify behavior for distributed search.
event_renderers.conf Configure event-rendering properties.
eventtypes.conf Create event type definitions.
fields.conf Create multivalue fields and add search capability for indexed fields.
indexes.conf Manage and configure index settings.
inputs.conf Set up data inputs.
instance.cfg.conf Designate and manage settings for specific instances of Splunk. This can be handy, for example, when identifying forwarders for internal searches.
limits.conf Set various limits (such as maximum result size or concurrent real-time searches) for search commands.
literals.conf Customize the text, such as search error strings, displayed in Splunk Web.
macros.conf Define search macros in Settings.
multikv.conf Configure extraction rules for table-like events (ps, netstat, ls).
outputs.conf Set up forwarding behavior.
passwords.conf Maintain the credential information for an app.
procmon-filters.conf Monitor Windows process data.
props.conf Set indexing property configurations, including timezone offset, custom source type rules, and pattern collision priorities. Also, map transforms to event properties.
pubsub.conf Define a custom client of the deployment server.
restmap.conf Create custom REST endpoints.
savedsearches.conf Define ordinary reports, scheduled reports, and alerts.
searchbnf.conf Configure the search assistant.
segmenters.conf Configure segmentation.
server.conf Enable SSL for Splunk's back-end (communications between Splunkd and Splunk Web) and specify certification locations.
serverclass.conf Define deployment server classes for use with deployment server.
serverclass.seed.xml.conf Configure how to seed a deployment client with apps at start-up time.
source-classifier.conf Terms to ignore (such as sensitive data) when creating a source type.
sourcetypes.conf Machine-generated file that stores source type learning rules.
tags.conf Configure tags for fields.
telemetry.conf Enable Splunk to collect telemetry data about usage and performance.
times.conf Define custom time ranges for use in the Search app.
transactiontypes.conf Add additional transaction types for transaction search.
transforms.conf Configure regex transformations to perform on data inputs. Use in tandem with props.conf.
ui-prefs.conf Change UI preferences for a view. Includes changing the default earliest and latest values for the time range picker.
user-seed.conf Set a default user and password.
visualizations.conf List the visualizations that an app makes available to the system.
viewstates.conf Use this file to set up UI views (such as charts).
web.conf Configure Splunk Web, enable HTTPS.
wmi.conf Set up Windows management instrumentation (WMI) inputs.
workflow_actions.conf Configure workflow actions.
When to restart Splunk Enterprise after a configuration file change
Configuration parameters and the data pipeline

This documentation applies to the following versions of Splunk® Enterprise: 6.5.0, 6.5.1, 6.5.1612 (Splunk Cloud only), 6.5.2, 6.5.3, 6.5.4, 6.5.5, 6.6.0, 6.6.1, 6.6.2, 6.6.3

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters