Splunk® IT Service Intelligence

Administration Manual

List of ITSI configuration files

The following is a list of ITSI configuration files. All files are located under $SPLUNK_HOME/etc/apps/. Most .conf files have accompanying spec and example files located in the README folder that list all supporting attributes. Contact Support before editing a conf file that does not have an accompanying spec or example file.

If you are using Splunk Cloud, you can't edit a .conf file directly. For any task that requires editing a .conf file, submit a ticket using the Support Portal and Splunk Support will work with you to arrange a maintenance window.

Caution: Never change or copy the configuration files in the default directory. Default files must remain intact and in their original location. The upgrade process overwrites the default directory, so any changes that you make in the default directory are lost on upgrade. Create and edit your files in a local directory, for example $SPLUNK_HOME/etc/apps/<app_name>/local. Local directories are not overwritten during upgrades. For more information, see Configuration file directories.

File Purpose ITSI Location
alert_actions.conf Generate ITSI notable events and configure episode actions. /SA-ITOA/default
alert_actions.conf Summarize KPI searches into the ITSI summary index. /itsi/default
app_common_flags.conf Enable or disable certain ITSI features.
CAUTION: Do not edit this file.
authorize.conf Configure ITSI-specific roles and capabilities, including role-based access controls. Always use /itsi/default. For more information, see Grant and revoke user permissions in ITSI. /itsi/default
collections.conf Configure KV store collections for ITSI. /SA-ITOA/default
commands.conf Connect search commands to any custom search script. /SA-ITOA/default
datamodels.conf Attribute/value pairs for configuring data models. /DA-ITSI-APPSERVER/default
deep_dive_drilldowns.conf Configure deep dive drilldowns, add new drilldowns. /itsi/default
itsi_entity_type.conf Upload sample entity types to the KV store. For more information, see Create entity types in ITSI. /SA-ITOA/default
distsearch.conf Specify behavior for distributed search. Group search peers to facilitate searching on a subset of peers. /SA-ITOA/default
drilldownsearch_offset.conf Configure time range picker presets for correlation search drilldown offsets. /itsi/default
fields.conf Create multi-value fields and add search capability for indexed fields. /itsi/default
glasstable_icon_library.conf Add and remove icons from the glass table icon library. /itsi/default
inputs.conf Set up data inputs. /SA-ITOA/default
itsi_da.conf (Deprecated) Configure an app to export entity searches and service templates for use within ITSI. /SA-ITOA/default
itsi_data_integrations.conf See the available chicklets listed on the Data Integrations page. For more information, see Overview of entity integrations in ITSI. /itsi/default
itsi_deep_dive.conf Upload deep dives to the KV store. /SA-ITOA/default
itsi_event_management.conf Configure Episode Review default settings. /SA-ITOA/default
itsi_glass_table.conf Upload glass tables to the KV store. /SA-ITOA/default
itsi_kpi_base_search.conf Upload KPI base searches to the KV store. /SA-ITOA/default
itsi_kpi_template.conf Upload KPI templates to the KV store. /SA-ITOA/default
itsi_kpi_threshold_template.conf Upload KPI threshold templates to the KV store. /SA-ITOA/default
itsi_module_settings.conf Define whether a module is editable in the module lister page. Default is false. /DA-ITSI-EUEM/default


itsi_module_viz.conf Change tab names and panel titles in a module details dashboard. /DA-ITSI-EUEM/default


itsi_notable_event_retention.conf Define how long notable events are retained before they move to the index. Default is 6 months. /SA-ITOA/default
itsi_notable_event_severity.conf Configure the colors associated with different severity levels in Episode Review. /SA-ITOA/default
itsi_notable_event_status.conf Configure label descriptions and event status in Episode Review. /SA-ITOA/default
itsi_service.conf Upload services to the KV store. /SA-ITOA/default
itsi_service_analyzer.conf Configure auto-refresh interval, or disable auto-refresh. /SA-ITOA/default
itsi_service_template.conf Configure an app to export service templates for use within ITSI. /SA-ITOA/default
itsi_settings.conf Configure ITSI. /SA-ITOA/default
itsi_team.conf Upload sample ITSI teams to the KV store. /SA-ITOA/default
limits.conf Set various limits (such as maximum result size or concurrent real-time searches) for search commands. /SA-ITOA/default
macros.conf Define search macros in Settings. /SA-ITOA/default
mad.conf Configure anomaly detection. /SA-ITSI-MetricAD/default
notable_event_actions.conf Configure actions to take on groups in Episode Review. /SA-ITOA/default
notable_event_commonality.conf Define fields to include or exclude from the Common Fields tab of Episode Review. /SA-ITOA/default
notable_event_correlation.conf Set threshold values and limits for Smart Mode event correlation. /SA-ITOA/default
props.conf Set indexing property configurations, including timezone offset, custom source type rules, and pattern collision priorities. Also, map transforms to event properties. /SA-ITOA/default
restmap.conf Create custom REST endpoints. /SA-ITOA/default
savedsearches.conf Define ordinary reports, scheduled reports, and alerts. /SA-ITOA/default
searchbnf.conf Configure the search assistant. /SA-ITOA/default
threshold_labels.conf Change the label, color, threshold level, health weight, minimum and maximum health score, and score contribution. Changes to this file won't be reflected on the service analyzer. /itsi/default
threshold_periods.conf Deprecated. Do not edit. /itsi/default
transforms.conf Configure regex transformations to perform on data inputs. Use in tandem with props.conf. /SA-ITOA/default
visualizations.conf Declare common visualizations that other modules can use. /SA-ITSI-CustomModuleViz/default
web.conf Configure Splunk Web, enable HTTPS. /SA-ITOA/default
Last modified on 10 April, 2023
About configuration files in ITSI   alert_actions.conf

This documentation applies to the following versions of Splunk® IT Service Intelligence: 4.17.0, 4.17.1, 4.18.0, 4.18.1, 4.19.0

Was this topic useful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters