Splunk® IT Essentials Work

Administration Manual

This documentation does not apply to the most recent version of Splunk® IT Essentials Work. For documentation on the most recent version, go to the latest release.

List of ITE Work configuration files

The following is a list of configuration files. All files are located under $SPLUNK_HOME/etc/apps/. Most .conf files have accompanying spec and example files located in the README folder that list all supporting attributes. Contact Support before editing a conf file that does not have an accompanying spec or example file.

If you are using Splunk Cloud, you can't edit a .conf file directly. For any task that requires editing a .conf file, submit a ticket using the Support Portal and Splunk Support will work with you to arrange a maintenance window.

Caution: Never change or copy the configuration files in the default directory. Default files must remain intact and in their original location. The upgrade process overwrites the default directory, so any changes that you make in the default directory are lost on upgrade. Create and edit your files in a local directory, for example $SPLUNK_HOME/etc/apps/<app_name>/local. Local directories are not overwritten during upgrades. For more information, see Configuration file directories in the Admin manual for Splunk Enterprise.

Because Splunk IT Essentials Work is a free version of Splunk IT Service Intelligence, it uses many of the same configuration files. Clicking on links in the following table will open configuration file descriptions in the ITSI documentation. If a configuration file does not apply to the most recent version of ITSI or ITE Work, a banner notice at the top of the page for that configuration file says so.

File Purpose ITSI Location
alert_actions.conf Generate ITSI notable events and configure episode actions. /SA-ITOA/default
alert_actions.conf Summarize KPI searches into the ITSI summary index. /itsi/default
authorize.conf Configure ITSI-specific roles and capabilities, including role-based access controls. Always use /itsi/default. For more information, see Grant and revoke user permissions in ITSI. /itsi/default
collections.conf Configure KV store collections for ITSI. /SA-ITOA/default
commands.conf Connect search commands to any custom search script. /SA-ITOA/default
datamodels.conf Attribute/value pairs for configuring data models. /DA-ITSI-APPSERVER/default
/DA-ITSI-LB/default
/DA-ITSI-VIRTUALIZATION/default
deep_dive_drilldowns.conf Configure deep dive drilldowns, add new drilldowns. /itsi/default
itsi_entity_type.conf Upload sample entity types to the KV store. For more information, see Create custom entity types in ITSI. /SA-ITOA/default
distsearch.conf Specify behavior for distributed search. Group search peers to facilitate searching on a subset of peers. /SA-ITOA/default
drilldownsearch_offset.conf Configure time range picker presets for correlation search drilldown offsets. /itsi/default
fields.conf Create multi-value fields and add search capability for indexed fields. /itsi/default
glasstable_icon_library.conf Add and remove icons from the glass table icon library. /itsi/default
inputs.conf Set up data inputs. /SA-ITOA/default
/itsi/default
itsi_da.conf (Deprecated) Configure an app to export entity searches and service templates for use within ITSI. /SA-ITOA/default
itsi_data_integrations.conf See the available chicklets listed on the Data Integrations page. For more information, see What is an entity integration?. /itsi/default
itsi_deep_dive.conf Upload deep dives to the KV store. /SA-ITOA/default
itsi_event_management.conf Configure Episode Review default settings. /SA-ITOA/default
itsi_glass_table.conf Upload glass tables to the KV store. /SA-ITOA/default
itsi_kpi_base_search.conf Upload KPI base searches to the KV store. /SA-ITOA/default
itsi_kpi_template.conf Upload KPI templates to the KV store. /SA-ITOA/default
itsi_kpi_threshold_template.conf Upload KPI threshold templates to the KV store. /SA-ITOA/default
itsi_module_settings.conf Define whether a module is editable in the module lister page. Default is false. /DA-ITSI-EUEM/default

/DA-ITSI-WEBSERVER/default
/DA-ITSI-OS/default
/DA-ITSI-VIRTUALIZATION/default
/DA-ITSI-APPSERVER/default
/DA-ITSI-LB/default
/DA-ITSI-APM/default
/DA-ITSI-DATABASE/default
/DA-ITSI-STORAGE/default
/DA-ITSI-CLOUD/default

itsi_module_viz.conf Change tab names and panel titles in a module details dashboard. /DA-ITSI-EUEM/default

/DA-ITSI-WEBSERVER/default
/DA-ITSI-OS/default
/DA-ITSI-VIRTUALIZATION/default
/DA-ITSI-APPSERVER/default
/DA-ITSI-LB/default
/DA-ITSI-APM/default
/DA-ITSI-DATABASE/default
/DA-ITSI-STORAGE/default
/DA-ITSI-CLOUD/default

itsi_notable_event_retention.conf Define how long notable events are retained before they move to the index. Default is 6 months. /SA-ITOA/default
itsi_notable_event_severity.conf Configure the colors associated with different severity levels in Episode Review. /SA-ITOA/default
itsi_notable_event_status.conf Configure label descriptions and event status in Episode Review. /SA-ITOA/default
itsi_service.conf Upload services to the KV store. /SA-ITOA/default
itsi_service_analyzer.conf Configure auto-refresh interval, or disable auto-refresh. /SA-ITOA/default
itsi_service_template.conf Configure an app to export service templates for use within ITSI. /SA-ITOA/default
itsi_settings.conf Configure ITSI. You can also change the default (0) setting on the enable_empty_replace flag in the Import stanza of this file. Setting that flag to 1 disables new replace conflict resolution and reverts ITSI to previous conflict resolution behavior, which clears metadata from entities that become inactive for conflict resolution of type replace. /SA-ITOA/default
itsi_team.conf Upload sample ITSI teams to the KV store. /SA-ITOA/default
limits.conf Set various limits (such as maximum result size or concurrent real-time searches) for search commands. /SA-ITOA/default
/itsi/default
macros.conf Define search macros in Settings. /SA-ITOA/default
/itsi/default
mad.conf Configure anomaly detection. /SA-ITSI-MetricAD/default
notable_event_actions.conf Configure actions to take on groups in Episode Review. /SA-ITOA/default
notable_event_commonality.conf Define fields to include or exclude from the Common Fields tab of Episode Review. /SA-ITOA/default
notable_event_correlation.conf Set threshold values and limits for Smart Mode event correlation. /SA-ITOA/default
props.conf Set indexing property configurations, including timezone offset, custom source type rules, and pattern collision priorities. Also, map transforms to event properties. /SA-ITOA/default
restmap.conf Create custom REST endpoints. /SA-ITOA/default
savedsearches.conf Define ordinary reports, scheduled reports, and alerts. /SA-ITOA/default
searchbnf.conf Configure the search assistant. /SA-ITOA/default
threshold_labels.conf Configure settings for severity-level thresholds. Change the label, color, threshold level, health weight, minimum and maximum health score, and score contribution. /itsi/default
threshold_periods.conf Deprecated. Do not edit. /itsi/default
transforms.conf Configure regex transformations to perform on data inputs. Use in tandem with props.conf. /SA-ITOA/default
ui-tour.conf Customize the ITSI product tour. /itsi/default
visualizations.conf Declare common visualizations that other modules can use. /SA-ITSI-CustomModuleViz/default
web.conf Configure Splunk Web, enable HTTPS. /SA-ITOA/default
Last modified on 19 December, 2023
About configuration files in ITE Work  

This documentation applies to the following versions of Splunk® IT Essentials Work: 4.16.0 Cloud only


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters