Splunk® Enterprise

Admin Manual

Splunk Enterprise version 8.0 is no longer supported as of October 22, 2021. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.
This documentation does not apply to the most recent version of Splunk® Enterprise. For documentation on the most recent version, go to the latest release.

List of configuration files

The following is a list of some of the available spec and example files associated with each conf file. Some conf files do not have spec or example files; contact Support before editing a conf file that does not have an accompanying spec or example file.

Caution: Do not edit the default copy of any conf file in $SPLUNK_HOME/etc/system/default/. See How to edit a configuration file.

File Purpose
alert_actions.conf Create an alert.
app.conf Configure app properties
audit.conf Configure auditing and event hashing. This feature is not available for this release.
authentication.conf Toggle between Splunk's built-in authentication or LDAP, and configure LDAP.
authorize.conf Configure roles, including granular access controls.
bookmarks.conf Bookmark monitoring console URLs.
checklist.conf Customize monitoring console health check.
collections.conf Configure KV Store collections for apps.
commands.conf Connect search commands to any custom search script.
datamodels.conf Attribute/value pairs for configuring data models.
default.meta.conf Set permissions for objects in a Splunk app.
deploymentclient.conf Specify behavior for clients of the deployment server.
distsearch.conf Specify behavior for distributed search.
event_renderers.conf Configure event-rendering properties.
eventtypes.conf Create event type definitions.
fields.conf Create multivalue fields and add search capability for indexed fields.
health.conf Set the default thresholds for proactive Splunk component monitoring.
indexes.conf Manage and configure index settings.
inputs.conf Set up data inputs.
instance.cfg.conf Designate and manage settings for specific instances of Splunk. This can be handy, for example, when identifying forwarders for internal searches.
limits.conf Set various limits (such as maximum result size or concurrent real-time searches) for search commands.
literals.conf Customize the text, such as search error strings, displayed in Splunk Web.
macros.conf Define search macros in Settings.
messages.conf

Customize Splunk Web messages.

metric_rollups.conf Set attribute/value pairs for metric rollup policy entries.
multikv.conf Configure extraction rules for table-like events (ps, netstat, ls).
outputs.conf Set up forwarding behavior.
passwords.conf Maintain the credential information for an app.
procmon-filters.conf Monitor Windows process data.
props.conf Set indexing property configurations, including timezone offset, custom source type rules, and pattern collision priorities. Also, map transforms to event properties.
pubsub.conf Define a custom client of the deployment server.
restmap.conf Create custom REST endpoints.
savedsearches.conf Define ordinary reports, scheduled reports, and alerts.
searchbnf.conf Configure the search assistant.
segmenters.conf Configure segmentation.
server.conf Contains a wide variety of settings for configuring the overall state of a Splunk Enterprise instance. For example, the file includes settings for enabling SSL, configuring nodes of an indexer cluster or a search head cluster, configuring KV store, and setting up a license master.
serverclass.conf Define deployment server classes for use with deployment server.
serverclass.seed.xml.conf Configure how to seed a deployment client with apps at start-up time.
source-classifier.conf Terms to ignore (such as sensitive data) when creating a source type.
sourcetypes.conf Machine-generated file that stores source type learning rules.
tags.conf Configure tags for fields.
telemetry.conf Enable apps to collect telemetry data about app usage and other properties.
times.conf Define custom time ranges for use in the Search app.
transactiontypes.conf Add additional transaction types for transaction search.
transforms.conf Configure regex transformations to perform on data inputs. Use in tandem with props.conf.
ui-prefs.conf Change UI preferences for a view. Includes changing the default earliest and latest values for the time range picker.
user-seed.conf Set a default user and password.
visualizations.conf List the visualizations that an app makes available to the system.
viewstates.conf Use this file to set up UI views (such as charts).
web.conf Configure Splunk Web, enable HTTPS.
wmi.conf Set up Windows management instrumentation (WMI) inputs.
workflow_actions.conf Configure workflow actions.
workload_rules.conf Configure workload rules to define access and priority for workload pools in workload management.
workload_pools.conf Configure workload pools (compute and memory resource groups) that you can assign to searches in workload management.
Last modified on 15 September, 2020
When to restart Splunk Enterprise after a configuration file change   Configuration parameters and the data pipeline

This documentation applies to the following versions of Splunk® Enterprise: 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.0.9, 8.0.10


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters