How to edit a configuration file
Before you edit a configuration file, make sure you are familiar with the following:
- To learn about where configuration files live, and where to put the ones you edit, see Configuration file directories.
- To learn about file structure and how the attributes you want to edit are set up, see Configuration file structure.
- To learn how configuration files across multiple directories are layered and combined, see Configuration file precedence.
Customize a configuration file
To customize an attribute in a configuration file, create a new file with the same name in a local or app directory. You will then add the specific attributes that you want to customize to the local configuration file.
- Determine whether the configuration file already exists in your preferred directory, for example $SPLUNK_HOME/etc/system/local. See Configuration file precedence in this manual.
- If the file already exists in your preferred directory, edit the existing file. Otherwise, create the file in your preferred directory. Do not copy the contents of the default configuration file into the file in your preferred directory. This is to ensure that any Splunk software upgrades properly update the default values.
- Add only the stanzas and attributes that you want to customize to the local file.
Clear an attribute
You can clear any attribute by setting it to null. For example:
This overrides any previous value that the attribute held, including any value set in its default file, causing the system to consider the value entirely unset.
Insert a comment
You can insert comments in configuration files. To do so, use the # sign:
# This stanza forwards some log files. [monitor:///var/log]
Important: Start the comment at the left margin. Do not put the comment on the same line as the stanza or attribute:
[monitor:///var/log] # This is a really bad place to put your comment.
For an attribute, such as
a_setting = 5 #5 is the best number
This sets the a_setting attribute to the value "5 #5 is the best number", which may cause unexpected results.
Creating and editing configuration files on Windows and other non-UTF-8 operating systems
The Splunk platform works with configuration files with ASCII/UTF-8 encoding. On operating systems where UTF-8 is not the default character set, for example Windows, configure your text editor to write files in that format.
Attribute precedence within a single props.conf file
When to restart Splunk Enterprise after a configuration file change
This documentation applies to the following versions of Splunk® Enterprise: 6.0, 6.0.1, 6.0.2, 6.0.3, 6.0.4, 6.0.5, 6.0.6, 6.0.7, 6.0.8, 6.0.9, 6.0.10, 6.0.11, 6.0.12, 6.0.13, 6.0.14, 6.1, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, 6.1.10, 6.1.11, 6.1.12, 6.1.13, 6.2.0, 6.2.1, 6.2.2, 6.2.3, 6.2.4, 6.2.5, 6.2.6, 6.2.7, 6.2.8, 6.2.9, 6.2.10, 6.2.11, 6.2.12, 6.2.13, 6.2.14, 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.3.8, 6.3.9, 6.3.10, 6.3.11, 6.3.12, 6.3.13, 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 6.4.6, 6.4.7, 6.4.8, 6.4.9, 6.4.10, 6.5.0, 6.5.1, 6.5.1612 (Splunk Cloud only), 6.5.2, 6.5.3, 6.5.4, 6.5.5, 6.5.6, 6.5.7, 6.5.8, 6.6.0, 6.6.1, 6.6.2, 6.6.3, 6.6.4, 6.6.5, 6.6.6, 6.6.7, 7.0.0, 7.0.1, 7.0.2, 7.0.3