About configuration files - Splunk Documentation (original) (raw)

Splunk® Enterprise

Admin Manual

1. Documentation
2. Splunk® Enterprise
3. Admin Manual
4. About configuration files

Splunk Enterprise configuration settings are stored in configuration files. These files are identified by the .conf extension. Types of configuration settings include:

• System settings
• Authentication and authorization information
• Index-related settings
• Deployment and cluster configurations
• Knowledge objects and saved searches

For a list of configuration files and an overview of the area that each file covers, see List of configuration files in this manual.

Default configuration files are stored in the $SPLUNK_HOME/etc/system/default/ directory.

Use Splunk Web to manage configuration files

When you change your configuration in Splunk Web, that change is written to a copy of the configuration file for that setting. Splunk software creates a copy of this configuration file (if it does not exist), writes the change to that copy, and adds it to a directory under $SPLUNK_HOME/etc/.... The directory that the new file is added to depends on a number of factors that are discussed in Configuration file directories in this manual. The most common directory is $SPLUNK_HOME/etc/system/local, which is used in the example.

If you add a new index in Splunk Web, the software performs the following actions:

1. Checks for a copy of the file.

2. If no copy exists, the software creates a copy of indexes.conf and adds it to a directory, such as $SPLUNK_HOME/etc/system/local.

3. Writes the change to the copy of indexes.conf.

4. Leaves the default file unchanged in $SPLUNK_HOME/etc/system/default.

Edit the configuration file settings directly

While you can perform a lot of configuration with Splunk Web or CLI commands, you can also edit the configuration files directly. Some advanced configurations are not exposed in Splunk Web or the CLI and can only be changed by editing the configuration files directly.

Never change, copy, or move the configuration files that are in the default directory. Default files must remain intact and in their original location. When you upgrade your Splunk software, the default directory is overwritten. Any changes that you make in the default directory are lost when you upgrade to a newer version of the software. Changes that you make in non-default configuration directories persist when you upgrade.

To change settings for a particular configuration file, you must first create a new version of the file in a non-default directory and then add the settings that you want to change. When you first create this new version of the file, start with an empty file. Do not start from a copy of the file in the default directory. For information on the directories where you can manually change configuration files, see Configuration file directories.

Before you change any configuration files:

• Learn about how the default configuration files work, and where to put the files that you edit. See Configuration file directories.
• Learn about the structure of the stanzas that comprise configuration files and how the attributes you want to edit are set up. See Configuration file structure.
• Learn how different versions of the same configuration files in different directories are layered and combined so that you know the best place to put your file. See Configuration file precedence.
• Consult the product documentation, including the .spec and .example files for the configuration file. These documentation files reside in the file system in $SPLUNK_HOME/etc/system/README, as well as in the last chapter of this manual.

After you are familiar with the configuration file content and directory structure, and understand how to leverage Splunk Enterprise configuration file precedence, see How to edit a configuration file to learn how to safely change your files.

| | Customize Splunk Web messages | | Configuration file directories | | | -------------------------------------------------------------- | -------------------------------------------------------------------------------------------- | | -------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------- |

This documentation applies to the following versions of Splunk® Enterprise: 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.0.13, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.0.9, 8.0.10, 8.1.0, 8.1.1, 8.1.2, 8.1.3, 8.1.4, 8.1.5, 8.1.6, 8.1.7, 8.1.8, 8.1.9, 8.1.10, 8.1.11, 8.1.12, 8.1.13, 8.1.14, 8.2.0, 8.2.1, 8.2.2, 8.2.3, 8.2.4, 8.2.5, 8.2.6, 8.2.7, 8.2.8, 8.2.9, 8.2.10, 8.2.11, 8.2.12, 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4, 9.0.5, 9.0.6, 9.0.7, 9.0.8, 9.0.9, 9.0.10, 9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.1.4, 9.1.5, 9.1.6, 9.1.7, 9.1.8, 9.1.9, 9.2.0, 9.2.1, 9.2.2, 9.2.3, 9.2.4, 9.2.5, 9.2.6, 9.3.0, 9.3.1, 9.3.2, 9.3.3, 9.3.4, 9.4.0, 9.4.1, 9.4.2