Splunk® Enterprise

Admin Manual

Download manual as PDF

Download topic as PDF

How to edit a configuration file

Only users with file system access, such as system administrators, can edit configuration files.

Before you edit a configuration file, make sure you are familiar with the following:

Customize a configuration file

To customize an attribute in a configuration file, create a new file with the same name in a local or app directory. You will then add the specific attributes that you want to customize to the local configuration file.

  1. Determine whether the configuration file already exists in your preferred directory, for example $SPLUNK_HOME/etc/system/local. See Configuration file precedence in this manual.
  2. If the file already exists in your preferred directory, edit the existing file. Otherwise, create the file in your preferred directory. Do not copy the contents of the default configuration file into the file in your preferred directory. This is to ensure that any Splunk software upgrades properly update the default values.
  3. Add only the stanzas and attributes that you want to customize to the local file.

Clear an attribute

You can clear any attribute by setting it to null. For example:

forwardedindex.0.whitelist = 

This overrides any previous value that the attribute held, including any value set in its default file, causing the system to consider the value entirely unset.

Insert a comment

You can insert comments in configuration files. To do so, use the # sign:

# This stanza forwards some log files.

Important: Start the comment at the left margin. Do not put the comment on the same line as the stanza or attribute:

[monitor:///var/log]    # This is a really bad place to put your comment.

For an attribute, such as

a_setting = 5  #5 is the best number

This sets the a_setting attribute to the value "5 #5 is the best number", which may cause unexpected results.

Creating and editing configuration files on Windows and other non-UTF-8 operating systems

The Splunk platform works with configuration files with ASCII/UTF-8 encoding. On operating systems where UTF-8 is not the default character set, for example Windows, configure your text editor to write files in that format.

Attribute precedence within a single props.conf file
When to restart Splunk Enterprise after a configuration file change

This documentation applies to the following versions of Splunk® Enterprise: 6.0, 6.0.1, 6.0.2, 6.0.3, 6.0.4, 6.0.5, 6.0.6, 6.0.7, 6.0.8, 6.0.9, 6.0.10, 6.0.11, 6.0.12, 6.0.13, 6.0.14, 6.1, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, 6.1.10, 6.1.11, 6.1.12, 6.1.13, 6.2.0, 6.2.1, 6.2.2, 6.2.3, 6.2.4, 6.2.5, 6.2.6, 6.2.7, 6.2.8, 6.2.9, 6.2.10, 6.2.11, 6.2.12, 6.2.13, 6.2.14, 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.3.8, 6.3.9, 6.3.10, 6.3.11, 6.3.12, 6.3.13, 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 6.4.6, 6.4.7, 6.4.8, 6.4.9, 6.4.10, 6.5.0, 6.5.1, 6.5.1612 (Splunk Cloud only), 6.5.2, 6.5.3, 6.5.4, 6.5.5, 6.5.6, 6.5.7, 6.5.8, 6.5.9, 6.6.0, 6.6.1, 6.6.2, 6.6.3, 6.6.4, 6.6.5, 6.6.6, 6.6.7, 6.6.8, 6.6.9, 6.6.10, 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.1.0, 7.1.1, 7.1.2, 7.1.3

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters