List of configuration files
The following is a list of some of the available spec and example files associated with each conf file. Some conf files do not have spec or example files; contact Support before editing a conf file that does not have an accompanying spec or example file.
Caution: Do not edit the default copy of any conf file in $SPLUNK_HOME/etc/system/default/
. See How to edit a configuration file.
File | Purpose |
alert_actions.conf | Create an alert. |
app.conf | Configure app properties |
audit.conf | Configure auditing and event hashing. This feature is not available for this release. |
authentication.conf | Toggle between Splunk's built-in authentication or LDAP, and configure LDAP. |
authorize.conf | Configure roles, including granular access controls. |
checklist.conf | Customize monitoring console health check. |
collections.conf | Configure KV Store collections for apps. |
commands.conf | Connect search commands to any custom search script. |
datamodels.conf | Attribute/value pairs for configuring data models. |
default.meta.conf | Set permissions for objects in a Splunk app. |
deploymentclient.conf | Specify behavior for clients of the deployment server. |
distsearch.conf | Specify behavior for distributed search. |
event_renderers.conf | Configure event-rendering properties. |
eventtypes.conf | Create event type definitions. |
fields.conf | Create multivalue fields and add search capability for indexed fields. |
health.conf | Set the default thresholds for proactive Splunk component monitoring. |
indexes.conf | Manage and configure index settings. |
inputs.conf | Set up data inputs. |
instance.cfg.conf | Designate and manage settings for specific instances of Splunk. This can be handy, for example, when identifying forwarders for internal searches. |
limits.conf | Set various limits (such as maximum result size or concurrent real-time searches) for search commands. |
literals.conf | Customize the text, such as search error strings, displayed in Splunk Web. |
macros.conf | Define search macros in Settings. |
messages.conf | |
multikv.conf | Configure extraction rules for table-like events (ps, netstat, ls). |
outputs.conf | Set up forwarding behavior. |
passwords.conf | Maintain the credential information for an app. |
procmon-filters.conf | Monitor Windows process data. |
props.conf | Set indexing property configurations, including timezone offset, custom source type rules, and pattern collision priorities. Also, map transforms to event properties. |
pubsub.conf | Define a custom client of the deployment server. |
restmap.conf | Create custom REST endpoints. |
savedsearches.conf | Define ordinary reports, scheduled reports, and alerts. |
searchbnf.conf | Configure the search assistant. |
segmenters.conf | Configure segmentation. |
server.conf | Contains a wide variety of settings for configuring the overall state of a Splunk Enterprise instance. For example, the file includes settings for enabling SSL, configuring nodes of an indexer cluster or a search head cluster, configuring KV store, and setting up a license master. |
serverclass.conf | Define deployment server classes for use with deployment server. |
serverclass.seed.xml.conf | Configure how to seed a deployment client with apps at start-up time. |
source-classifier.conf | Terms to ignore (such as sensitive data) when creating a source type. |
sourcetypes.conf | Machine-generated file that stores source type learning rules. |
tags.conf | Configure tags for fields. |
telemetry.conf | Enable apps to collect telemetry data about app usage and other properties. |
times.conf | Define custom time ranges for use in the Search app. |
transactiontypes.conf | Add additional transaction types for transaction search. |
transforms.conf | Configure regex transformations to perform on data inputs. Use in tandem with props.conf. |
ui-prefs.conf | Change UI preferences for a view. Includes changing the default earliest and latest values for the time range picker. |
user-seed.conf | Set a default user and password. |
visualizations.conf | List the visualizations that an app makes available to the system. |
viewstates.conf | Use this file to set up UI views (such as charts). |
web.conf | Configure Splunk Web, enable HTTPS. |
wmi.conf | Set up Windows management instrumentation (WMI) inputs. |
workflow_actions.conf | Configure workflow actions. |
workload_rules.conf | Configure workload rules to define access and priority for workload pools in workload management. |
workload_pools.conf | Configure workload pools (compute and memory resource groups) that you can assign to searches in workload management. |
When to restart Splunk Enterprise after a configuration file change | Configuration parameters and the data pipeline |
This documentation applies to the following versions of Splunk® Enterprise: 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10
Feedback submitted, thanks!