Splunk® Enterprise

Monitoring Splunk Enterprise

Acrobat logo Download manual as PDF

Splunk Enterprise version 6.x is no longer supported as of October 23, 2019. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Acrobat logo Download topic as PDF

How the DMC works

This topic lists the files that the Distributed Management Console modifies in a Splunk Enterprise filesystem.

These files reside in $SPLUNK_HOME/etc/apps/splunk_management_console/ unless indicated otherwise.

File(s) What DMC information is in there When populated
app.conf Basic information about the DMC: determines whether it is in distributed mode, and provides a short description for Splunk Web to use in Launcher. See app.conf.spec. By default. Updated when you click Apply changes.
distsearch.conf in etc/system/local Contains stanzas that reference distributed search groups created by the DMC. The names of these groups are usually prefaced with dmc_group_*. For example: [distributedSearch:dmc_group_cluster_master] When you switch to distributed mode in DMC setup and click Apply changes
dmc_alerts.conf In some cases, you can edit thresholds in a platform alert without having to directly modify the search string for that alert. For such an alert, the DMC has a template of the search string, description string, and editable parameters. The template data, which is used in the DMC Alerts Setup page, is stored here, in stanzas named for the name of the saved search in default/savedsearches.conf. By default
lookups directory Contains two important files:
  • assets.csv lists the instances that the DMC recognizes and their peer URI (unique name), server name, host, machine (host fqdn), search group (server role, custom group, or cluster). This csv is used by every DMC dashboard.
  • dmc_forwarder_assets.csv is generated when you enable forwarder monitoring. Enabling forwarder monitoring enables the scheduled search (DMC Forwarder - Build Asset Table) in savedsearches.conf, which populates this .csv file. See Configure forwarder monitoring for the DMC in this manual.
By default (on initial startup). Updated when you click Apply changes or Rebuild forwarder assets, respectively.
macros.conf Contains two types of macros:
  • Search macros for all DMC dashboards.
  • Overview page customizations set in Distributed Management Console > Settings > Overview preferences.

See macros.conf.spec.

Search macros are stored here by default.

Customizations are set when you edit one and click Save.

props.conf Search-time field extraction and lookup applications and evals. See props.conf.spec. By default
savedsearches.conf Schedules and search strings for platform alerts. The saved search named DMC Forwarder - Build Asset Table runs when you enable forwarder monitoring. By default


This file contains:
  • A list of search peers configured with the DMC, and any for which you have disabled monitoring.
  • Any search peer identifier that has been overwritten by the DMC manually during setup, for example host, host_fqdn, indexer cluster labels, or search head cluster labels.
  • Stanzas describing which indexer and search head cluster(s) each search peer is a member of.
When you click "Apply Changes" on Setup > General setup
transforms.conf Lookup definitions for assets.csv and forwarder csv file By default

For more details about dmc_alerts.conf and splunk_management_console_assets.conf, look in $SPLUNK_HOME/etc/apps/splunk_management_console/README.

Last modified on 08 September, 2016
What can the DMC do?
Multi-instance deployment DMC setup steps

This documentation applies to the following versions of Splunk® Enterprise: 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 6.4.6, 6.4.7, 6.4.8, 6.4.9, 6.4.10, 6.4.11

Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters