server.conf - Splunk Documentation (original) (raw)

The following are the spec and example files for server.conf.

server.conf.spec

Version 9.4.2

OVERVIEW

This file contains settings and values to configure server options

in server.conf.

Each stanza controls different search commands settings.

There is a server.conf file in the $SPLUNK_HOME/etc/system/default/ directory.

Never change or copy the configuration files in the default directory.

The files in the default directory must remain intact and in their original

location.

To set custom configurations, create a new file with the name server.conf in

the $SPLUNK_HOME/etc/system/local/ directory. Then add the specific settings

that you want to customize to the local configuration file.

For examples, see server.conf.example. You must restart the Splunk instance

to enable configuration changes.

To learn more about configuration files (including file precedence) see the

documentation located at

http://docs.splunk.com/Documentation/Splunk/latest/Admin/Aboutconfigurationfiles

GLOBAL SETTINGS

Use the [default] stanza to define any global settings.

* You can also define global settings outside of any stanza at the top

of the file.

* Each configuration file should have at most one default stanza.

If you have multiple default stanzas, settings are combined. If you

have multiple definitions of the same settings, the last definition

in the file wins.

* If a setting is defined at both the global level and in a specific

stanza, the value in the specific stanza takes precedence.

General Server Configuration

[general] serverName =

• The name that identifies this Splunk software instance for features such as distributed search.
• Cannot be an empty string.
• Can contain environment variables.
• After any environment variables are expanded, the server name (if not an IPv6 address) can only contain letters, numbers, underscores, dots, and dashes. The server name must start with a letter, number, or an underscore.
• Default: $HOSTNAME

hostnameOption = [ fullyqualifiedname | clustername | shortname ]

• The type of information to use to determine how splunkd sets the 'host' value for a Windows Splunk platform instance when you specify an input stanza with 'host = $decideOnStartup'.
• Applies only to Windows hosts, and only for input stanzas that use the "host = $decideOnStartup" setting and value.
• Valid values are "fullyqualifiedname", "clustername", and "shortname".
• The value returned for the 'host' field depends on Windows DNS, NETBIOS, and what the name of the host is.
  • 'fullyqualifiedname' uses Windows DNS to return the fully qualified host name as the value.
  • 'clustername' also uses Windows DNS, but sets the value to the domain and machine name.
  • 'shortname' returns the NETBIOS name of the machine.
• Cannot be an empty string.
• Default: shortname

sessionTimeout = [s|m|h|d]

• The amount of time before a user session times out, expressed as a search-like time range.
• Examples include "24h" (24 hours), "3d" (3 days), "7200s" (7200 seconds, or two hours)
• Default: "1" (1 hour)

invalidateSessionTokensOnLogout =

• A value of "true" means the SHC invalidates any tokens associated with a logged-out session across all nodes in the cluster.
• This setting has an effect only if search head clustering and App Key Value store are enabled.
• Splunkd on each node tries to keep the logout information in sync with other nodes in the cluster within the specified 'logoutCacheRefreshInterval'.
• Default: false

logoutCacheRefreshInterval = [s|m|h|d]

• This setting controls how often splunkd on a given node updates its local cache from the App Key Value store when 'invalidateSessionTokensOnLogout' is enabled.
• This setting has no effect when 'invalidateSessionTokensOnLogout' is disabled.
• In normal scenarios, maximum time for changes to propogate across the cluster can be upto this interval, plus a few seconds; minimum can be a second or two.
• There is no guarantee that this sync will always happen within this time. If the system is blocked because of load or other issues like network partition, the information may not be propogated within the specified interval.
• Default: 30s

trustedIP =

• Only a single IP address is allowed.
• All logins from specified IP addresses are trusted. This means a password is no longer required.
• Only set this if you are using Single Sign-On (SSO).

allowRemoteLogin = always|never|requireSetPassword

• Controls remote management by restricting general login. Note that this does not apply to trusted SSO logins from a trustedIP.
• When set to "always", all remote login attempts are allowed.
• When set to "never", only local logins to splunkd are allowed. Note that this still allows remote management through Splunk Web if Splunk Web is on the same server.
• If set to "requireSetPassword":
  • In the free license, remote login is disabled.
  • In the pro license, remote login is disabled for the "admin" user if the default password of "admin" has not been changed.
• NOTE: As of version 7.1, Splunk software does not support the use of default passwords. The "requireSetPassword" value is deprecated and might be removed in the future.
• Default: requireSetPassword

tar_format = gnutar|ustar

• Sets the default TAR format.
• Default: gnutar

access_logging_for_phonehome =

• Enables/disables logging to the splunkd_access.log file for client phonehomes.
• Default: true (logging enabled)

hangup_after_phonehome =

• Controls whether or not the deployment server hangs up the connection after the phonehome is done.
• By default, persistent HTTP 1.1 connections are used with the server to handle phonehomes. This might show higher memory usage if you have a large number of clients.
• If you have more than the maximum recommended concurrent TCP connection deployment clients, persistent connections can not help with the reuse of connections. Setting this setting to true helps bring down memory usage.
• Default: false (persistent connections for phonehome)

pass4SymmKey =

• Authenticates traffic between:
  • A license manager and its license peers.
  • Members of a cluster.
  • A deployment server (DS) and its deployment clients (DCs).
• When authenticating members of a cluster, clustering might override the passphrase specified in the clustering stanza. A clustering search head connecting to multiple managers might further override in the [clustermanager:] stanza.
• When authenticating deployment servers and clients, by default, DS-DCs passphrase authentication is disabled. To enable DS-DCs passphrase authentication, you must also add the following line to the [broker:broker] stanza in the restmap.conf file: requireAuthentication = true
• In all scenarios, every node involved must set the same passphrase in the same stanzas. For example in the [general] stanza and/or [clustering] stanza. Otherwise, the respective communication does not proceed:
  • licensing and deployment in the case of the [general] stanza
  • clustering in case of the [clustering] stanza)
• Unencrypted passwords must not begin with "$1$". This is used by Splunk software to determine if the password is already encrypted.

pass4SymmKey_minLength =

• The minimum length, in characters, that a 'pass4SymmKey' can be for a particular stanza.
• When you start the Splunk platform, if the 'pass4SymmKey' is shorter in length than what you specify with this setting, the platform warns you and advises that you change the pass4SymmKey.
• If you use the CLI to modify 'pass4SymmKey' to a value that is shorter than what you specify with this setting, the platform warns you and advises that you change the pass4SymKey.
• Default: 12

unbiasLanguageForLogging =

• Specifies whether to replace the old language terms such as "master" and "slave" with the new terms such as "manager" and "peer"
• Default: false

listenOnIPv6 = no|yes|only

• By default, splunkd listens for incoming connections (both REST and TCP inputs) using IPv4 only.
• When you set this value to "yes", splunkd simultaneously listens for connections on both IPv4 and IPv6.
• To disable IPv4 entirely, set listenOnIPv6 to "only". This causes splunkd to exclusively accept connections over IPv6. You might need to change the mgmtHostPort setting in the web.conf file. Use '[::1]' instead of '127.0.0.1'.
• Any setting of SPLUNK_BINDIP in your environment or the splunk-launch.conf file overrides the listenOnIPv6 value. In this case splunkd listens on the exact address specified.

connectUsingIpVersion = auto|4-first|6-first|4-only|6-only

• When making outbound TCP connections for forwarding event data, making distributed search requests, etc., this setting controls whether the connections are made using IPv4 or IPv6.
• Connections to literal addresses are unaffected by this setting. For example, if a forwarder is configured to connect to "10.1.2.3" the connection is made over IPv4, regardless of what the value of this setting is.
• A value of "auto" means the following:
  • If 'listenOnIPv6' is set to "no", the Splunk server follows the "4-only" behavior.
  • If 'listenOnIPv6' is set to "yes", the Splunk server follows "6-first"
  • If 'listenOnIPv6' is set to "only", the Splunk server follow "6-only" behavior.
• A value of "4-first" means, if a host is available over both IPv4 and IPv6, then the Splunk server connects over IPv4 first and falls back to IPv6 if the IPv4 connection fails.
• A value of "6-first" means splunkd tries IPv6 first and falls back to IPv4 on failure.
• A value of "4-only" means splunkd only attempts to make connections over IPv4.
• A value of "6-only" means splunkd only attempts to connect to the IPv6 address.
• Default: auto (the Splunk server selects a reasonable value based on the listenOnIPv6 setting.)

guid =

• This setting (as of version 5.0) belongs in the [general] stanza of SPLUNK_HOME/etc/instance.cfg file. See the .spec file of instance.cfg for more information.

useHTTPServerCompression =

• Specifies whether the splunkd HTTP server should support gzip content encoding. For more info on how content encoding works, see Section 14.3 of Request for Comments: 2616 (RFC2616) on the World Wide Web Consortium (W3C) website.
• Default: true

defaultHTTPServerCompressionLevel =

• If the useHTTPServerCompression setting is enabled (it is enabled by default), this setting controls the compression level that the Splunk server attempts to use.
• This number must be between 1 and 9.
• Higher numbers produce smaller compressed results but require more CPU usage.
• Default: 6 (This is appropriate for most environments)

skipHTTPCompressionAcl =

• Lists a set of networks or addresses to skip data compression. These are addresses that are considered so close that network speed is never an issue, so any CPU time spent compressing a response is wasteful.
• Note that the server might still respond with compressed data if it already has a compressed version of the data available.
• These rules are separated by commas or spaces.
• The accepted formats for network and address rules are:
  1. A single IPv4 or IPv6 address (examples: "192.0.2.3", "2001:db8::2:1")
  2. A Classless Inter-Domain Routing (CIDR) block of addresses (examples: "192.0.2/24", "2001:DB8::/32")
  3. A DNS name. Use "" as a wildcard. (examples: "myhost.example.com", ".example.org")
  4. The wildcard "*" matches anything.
• Entries can also be prefixed with '!' to negate their meaning.
• Default: localhost addresses

legacyCiphers = decryptOnly|disabled

• This setting controls how Splunk software handles support for legacy encryption ciphers.
• If set to "decryptOnly", Splunk software supports decryption of configurations that have been encrypted with legacy ciphers. It encrypts all new configurations with newer and stronger cyphers.
• If set to "disabled", Splunk software neither encrypts nor decrypts configurations that have been encrypted with legacy ciphers.
• Default: decryptOnly

site =

• Specifies the site that this Splunk instance belongs to when multisite is enabled.
• Valid values for site-id include site0 to site63
• The special value "site0" can be set only on search heads or on forwarders that are participating in indexer discovery.
  • For a search head, "site0" disables search affinity. 
  • For a forwarder participating in indexer discovery, "site0" causes the forwarder to send data to all peer nodes across all sites.

useHTTPClientCompression = true|false|on-http|on-https

• Specifies whether gzip compression should be supported when splunkd acts as a client (including distributed searches). Note: For the content to be compressed, the HTTP server that the client is connecting to should also support compression.
• If the connection is being made over https and "useClientSSLCompression=true", then setting "useHTTPClientCompression=true" results in double compression work without much compression gain. To mitigate this, set this value to "on-http" (or to "true", and 'useClientSSLCompression' to "false").
• Default: true

embedSecret =

• When using report embedding, normally the generated URLs can only be used on the search head that they were generated on.
• If "embedSecret" is set, then the token in the URL is encrypted with this key. Then other search heads with the exact same setting can also use the same URL.
• This is needed if you want to use report embedding across multiple nodes on a search head pool.

parallelIngestionPipelines =

• The number of discrete data ingestion pipeline sets to create for this instance.
• A pipeline set handles the processing of data, from receiving streams of events through event processing and writing the events to disk.
• An indexer that operates multiple pipeline sets can achieve improved performance with data parsing and disk writing, at the cost of additional CPU cores.
• For most installations, the default setting of "1" is optimal.
• Use caution when changing this setting. Increasing the CPU usage for data ingestion reduces available CPU cores for other tasks like searching.
• If the data source is streamed over TCP or UDP, such as syslog sources, only one pipeline will be used.
• NOTE: Enabling multiple ingestion pipelines can change the behavior of some settings in other configuration files. Each ingestion pipeline enforces the limits of the following settings independently:
  1. maxKBps (in the limits.conf file)
  2. max_fd (in the limits.conf file)
  3. maxHotBuckets (in the indexes.conf file)
  4. maxHotSpanSecs (in the indexes.conf file)
• Default: 1

pipelineSetAutoScale =

• Whether or not splunkd automatically scales up the number of pipeline sets in certain cases when CPU resources are available.
• A value of "true" means splunkd automatically scales up pipeline sets using the "blocked_queue_count" pipeline set selection policy.
• See the 'pipelineSetSelectionPolicy' setting for more information on the "blocked_queue_count" policy.
• A value of "true" also means that intermediate forwarders scale the number of pipeline sets to half the number of available virtual CPUs.
  • If a workload management pool exists, then:
    • Splunk instance scales up the number of pipeline sets to the number of virtual CPUs for the 'ingest' workload pool divided by 4.
  • If a workload management pool does not exist, then:
    • Splunk instance types scale up the number of pipeline sets to the number of available virtual CPUs divided by 15.
• A value of "false" means that splunkd uses the value for 'parallelIngestionPipelines' and does not scale the number of pipeline sets to meet demand.
• If 'parallelIngestionPipelines' has a higher value than the previously-described automatic calculations, then splunkd uses that value instead to scale up the number of pipeline sets.
• Default: false

pipelineSetSelectionPolicy = round_robin|weighted_random|blocked_queue_count

• Specifies the pipeline set selection policy to use while selecting pipeline sets for new inputs.
• A value of "round_robin" means that splunkd assigns incoming inputs to pipeline sets in around robin fashion.
• A value of "weighted_random" means that splunkd assigns the incoming inputs to pipeline sets using a weighted random scheme designed to even out the CPU usage of each pipeline set.
  • The "weighted_random" value is valid only when 'parallelIngestionPipelines' has a value that is greater than 1.
• A value of "blocked_queue_count" means that splunkd assigns the incoming inputs to pipeline sets using a combination of a round-robin scheme for each input type and a blocked queue count scheme that tracks the number of blocked queues in each pipeline set.
  • There are 5 input types in general: modular input, file input, network input, replication, and others.
  • If the pipeline set that splunkd selects has a blocked queue count, then splunkd selects another pipeline set with the lowest blocked queue count and assigns the input to that pipeline set. This ensures that a particular input type is balanced across all available pipeline sets.
  • Splunkd writes a "blocked queue count (blocked_count)" message to the metrics.log log file regardless of the value of this setting.
  • The "blocked_queue_count" value is valid only when 'parallelIngestionPipelines' has a value that is greater than 1.
• Default: round_robin

pipelineSetWeightsUpdatePeriod =

• The interval, in seconds, when pipeline set weights are recalculated for the weighted_random pipeline set selection policy.
• Reducing this interval causes pipeline set weights to be re-evaluated more frequently, thereby enabling the system to react more quickly to changes in dutycycle estimation.
• Increasing this interval causes pipeline set weights to be re-evaluated less frequently, thereby reducing the likelihood of the system responding to bursty events.
• Default: 30

pipelineSetNumTrackingPeriods =

• The number of look-back periods, of interval pipelineSetWeightsUpdatePeriod, that are used to keep track of incoming ingestion requests for pipeline sets.
• This information is used as a heuristic to calculate the pipeline set weights at every expiry of pipelineSetWeightsUpdatePeriod.
• Default: 5

pipelineSetChannelSetCacheSize =

• Maximum number of inactive channels to be stored in the per-pipeline set cache to reduce load in the configuration management system.
• Currently only affects ingestion via the HTTP Event Collector.
• Increasing this setting should reduce the number of created channels reported in metrics.log under the 'channel_cache' group. If neither that group nor the 'created' field exists in metrics.log, increasing this value has no effect.
• Default: 12

instanceType =

• Should not be modified by users.
• Informs components (such as the Splunk Web Manager section) which environment the Splunk server is running in, to allow for more customized behaviors.
• Default: download

requireBootPassphrase =

• Prompt the user for a boot passphrase when starting splunkd.
• Splunkd uses this passphrase to grant itself access to platform-provided secret storage facilities, like the GNOME keyring.
• For more information about secret storage, see the [secrets] stanza in $SPLUNK_HOME/etc/system/README/authentication.conf.spec.
• Default (if Common Criteria mode is enabled): true
• Default (if Common Criteria mode is disabled): false

numThreadsForIndexInitExecutor =

• Number of threads that can be used by the index init thread pool.
• Maximum accepted value for this setting is 32.
• Default: 16

remoteStorageRecreateIndexesInStandalone =

• Controls re-creation of remote storage enabled indexes in standalone mode.
• Default: true

cleanRemoteStorageByDefault =

• Allows 'splunk clean eventdata' to clean the remote indexes when set to true.
• Default: false

is_remote_queue_accounting_batched =

• Allows indexer to maintain a batched count of events that have been uploaded to remote storage when set to true.
• This count is subsequently used to delete corresponding messages from remote queue.
• Default: false

recreate_index_fetch_bucket_batch_size =

• Controls the maximum number of bucket IDs to fetch from remote storage as part of a single transaction for a remote storage enabled index.
• Only valid for standalone mode.
• Default: 500

recreate_bucket_fetch_manifest_batch_size =

• Controls the maximum number of bucket manifests to fetch in parallel from remote storage.
• Only valid for standalone mode.
• Default: 100

splunkd_stop_timeout =

• The maximum time, in seconds, that splunkd waits for a graceful shutdown to complete before splunkd forces a stop.
• Default: 360 (6 minutes)

decommission_search_jobs_wait_secs =

• The maximum time, in seconds, that splunkd waits for running searches to complete during a shutdown_decommission_search.
• To trigger this type of shutdown, post to 'services/server/control/shutdown_decommission_search'
• If set to 0, splunkd does not wait, and all searches in progress will fail.
• If this search head is a member of a search head cluster, use 'decommission_search_jobs_wait_secs' in the [shclustering] stanza instead.
• NOTE: If this search head is a node of an indexer cluster, use 'decommission_search_jobs_wait_secs' in the [clustering] stanza instead.
• Default: 0

decommission_search_jobs_min_wait_ratio =

• Fraction of the decommission_search_jobs_wait_secs that splunkd will always wait during a shutdown_decommission_search.
• This wait is not contingent on whether or not there are any actively running searches
• Once this minimum wait time has elapsed, splunkd will wait the remainder of decommission_search_jobs_wait_secs contingent on the presence of actively running search processes on this indexer.
• Default: 0.15

python.version = python3|python3.7|python3.9|force_python3|unspecified

• For Python scripts only, sets the default Python version to use.
• Can be overridden by other 'python.version' values elsewhere, with the following exception:
• If you set to "python3" or "python3.7", the system uses Python 3.7.
• If you set to "python3.9", the system uses Python 3.9.
• If you set to "force_python3", the system always uses Python 3.9, and ignores values for 'python.version' that you set elsewhere.
• If you set to "unspecified", the system calls the python interpreter 'python' to run scripts. Used on universal forwarders when calling an external instance of python. This setting value is not supported.
• Default: force_python3

roll_and_wait_for_uploads_at_shutdown_secs =

• Currently not supported. This setting is related to a feature that is still under development.
• Default: 0 (disabled)

preShutdownCleanup =

• Currently not supported. This setting is related to a feature that is still under development.
• Specifies if indexer waits to complete any indexing activities before continuing with shutdown.
• Default: true

reset_manifests_on_startup =

• Whether or not the Splunk platform instance regenerates size retention information for index bucket summaries that have been stored in the manifest.csv files.
• Configuring this setting lets the platform instance have the most up-to-date size retention information immediately after startup.
• When set to true, the size retention information for summaries stored in the manifest.csv files are removed and regenerated during startup.
• When set to false, manifest.csv files are not reset during startup.
• Default: true

percent_manifests_to_reset =

• In order to minimize the cost of resetting all manifest.csv files at once the manifest.csv files are separated in groups that are processed separately.
• This percentage defines how many manifest.csv files each group will reset.
• For example, a setting of 20 means each group resets 20% of all manifests resulting in 5 groups with 20% each.
• The minimum of one manifest.csv file will be processed per group.
• Legal values are between 0 and 100.
• Default: 10

regex_cache_hiwater =

• A threshold for the number of entries in the regex cache. If the regex cache grows larger than this, splunkd server will purge some of the older entries.
• When set to a negative value, no purge occurs, no matter how large the cache.
• Default: 2500

enable_search_process_long_lifespan =

• Controls whether the search process can have a long lifespan.
• Configuring a long lifespan on a search process can optimize performance by reducing the number of new processes that are launched and old processes that are reaped, and is a more efficient use of system resources.
• When set to "true": Splunk software does the following:
  • Suppresses increases in the configuration generation. See the 'conf_generation_include' setting for more information.
  • Avoids unnecessary replication of search configuration bundles.
  • Allows a certain number of idle search processes to live.
  • Sets the size of the pool of search processes.
  • Checks memory usage before a search process is reused.
• When set to "false": The lifespan of a search process at the 50th percentile is approximately 30 seconds.
• NOTE: Do not change this setting unless instructed to do so by Splunk Support.
• Default: true

conf_generation_include. =

• Controls whether conf generation bumps at a property change in a particular type of *.conf file, mainly used on search head.
• In general, do not bump when a property change needs to restart Splunk server or is not related to search execution.
• If set properly, Splunk server skips unnecessary generation increments to maximize reuse of preforked search processes at search head. As a result, overall search performance is improved in shorter execution time and better system resource utilization.
• Has no effect if 'enable_search_process_long_lifespan' is set to "false".
• Default: false

encrypt_fields =

• A list of the fields that need to be re-encrypted when a search head cluster performs a first-time run on syncing all members with a new splunk.secret key, and when a bundle is created and applied in an indexer cluster.
• Provide each field as a three-element entry. Separate each field element with colons, and each field with commas, for example: ::, ::...
• Do not include brackets when you specify a stanza-prefix.
• To match all stanzas from a configuration file, leave the stanza-prefix empty. For example: "server: :pass4SymmKey" matches all stanzas with 'pass4SymmKey' as the key in the server.conf file.
• Default: a default list of fields containing passwords, secret keys, and identifiers: "server: :sslKeysfilePassword", "server: :sslPassword", "server: :pass4SymmKey",...

conf_cache_memory_optimization =

• Turns on or off memory optimization for configuration file caches for all Splunk configuration file types.
• A value of "true" turns on memory optimization for configuration files.
• A value of "false" turns off memory optimization for configuration files.
• Turning on this setting can reduce the memory footprint of the splunkd process due to caching of configurations.
• NOTE: Do not change this setting without first consulting with Splunk Support.
• Default: true

conf_cache_rebuild_stanzas_optimization =

• Turns on or off per stanza configuration cache rebuild for all Splunk configuration file types.
• A value of "true" turns on per stanza configuration cache rebuild. Only the changed stanzas of the configuration cache are rebuilt.
• A value of "false" turns off per stanza configuration cache rebuild. All contents of the configuration file cache are rebuilt.
• Turning on this setting can reduce the read latency of a changed configuration file cache.
• NOTE: Do not change this setting without first consulting with Splunk Support.
• Default: false

cgroup_location =

• Specifies the location of the cgroup hierarchy for the splunkd, search, and helper processes within cgroups version 1 or 2.
• This setting requires a Linux system with systemd.
• A value of "auto" turns on automatic detection, which is based on the contents of /proc//cgroup and /proc//mountinfo.
• NOTE: Do not change this setting unless instructed to do so by Splunk Support.
• Default: auto

Configuration Change Tracker

[config_change_tracker] disabled =

• Whether or not splunkd writes configuration changes to the configuration change log at $SPLUNK_HOME/var/log/splunk/configuration_change.log.
• If set to "false", configuration changes are captured in $SPLUNK_HOME/var/log/splunk/configuration_change.log.
• If set to "true", configuration changes are not captured in $SPLUNK_HOME/var/log/splunk/configuration_change.log.
• Default: false

mode = [auto|diff|track-only]

• Determines the method used by 'config_change_tracker' to track and record changes to .conf files.
• A value of "auto" or "diff" means splunkd logs all configuration changes made to .conf files, including changes to setting values. In this mode, config change tracking only includes changes that could have an effect on your environment. For example, if a file with a stanza and setting-value pair is created, updated, or deleted, splunkd logs the change. But if an empty file or a stanza without any setting-value pairs is added or deleted, splunkd does not log the change since it will not have an impact. Similarly, splunkd does not track any comments that are added to or removed from files.
• A value of "track-only" means splunkd logs .conf file changes, but excludes configuration setting values. In this mode, config change tracking includes changes whether or not they can have an effect on your environment. For example, splunkd logs a change for any updates to file content, or that come from a change by the operating system. Splunkd also sees a comment that has been added to a .conf file as a change, because that change results in a different file checksum.
• Splunkd tracks all .conf files under the following directories:
  • $SPLUNK_HOME/etc/system
  • $SPLUNK_HOME/etc/apps
  • $SPLUNK_HOME/etc/users
  • $SPLUNK_HOME/etc/peer-apps It also tracks changes to the following:
  • $SPLUNK_HOME/etc/instance.cfg
• The values "auto" and "diff" have the same behavior at this time. Setting the value to "auto" ensures that the instance will always use the latest feature set.
• Default: auto

denylist =

• If set, splunkd does not monitor files for configuration change tracker if their path matches the specified regex.
• No default.

log_throttling_disabled =

• Describes whether or not splunkd logs config changes to a .conf file that occur within the 'log_throttling_threshold_ms' time span as a single event.
• A value of "false" means that splunkd logs all changes to a conf file within the time span 'log_throttling_threshold_ms' as a single event.
• A value of "true" means that splunkd logs all changes individually as soon as it detects them.
• This setting requires a Linux system with the "inotify" API for file system event monitoring.
• Do not change this setting without first consulting with Splunk Support.
• Default: true

log_throttling_threshold_ms =

• The span of time, in milliseconds, during which splunkd logs multiple changes to a .conf file as a single configuration change event.
• If multiple changes are made to a conf file within the time span 'log_throttling_threshold_ms' milliseconds, splunkd logs those changes as a single event.
• Default: 10000

exclude_fields =

• One or more stanza keys that splunkd is to exclude when it writes information about stanza configuration changes to the configuration_change.log file.

• The format for each entry is '::'. Separate multiple entries with commas.

• To exclude all keys under a stanza, use the '::*' format.

• can end with a '*' (asterisk). Splunkd treats this as a wildcard.

• If contains a colon, enclose it in quotes. For example: 'inputs.conf:"tcp-ssl:":'

• This setting has no effect if 'mode' has a value of "track-only".

• Example: 'server.conf:general:pass4SymmKey, authentication.conf:authentication:*'

• No default.

• NOTE: The [config_change_audit] stanza, which was previously mentioned in the Splunk version 8.2.0 documentation and configuration specification files, is now DEPRECATED.

Deployment Configuration details

[deployment] pass4SymmKey = * Authenticates traffic between the deployment server (DS) and its deployment clients (DCs). * By default, DS-DCs passphrase authentication key is disabled. To enable DS-DCs passphrase authentication, you must also add the following line to the [broker:broker] stanza in the restmap.conf file: requireAuthentication = true * If the key is not set in the [deployment] stanza, the key is looked for in the [general] stanza. * NOTE: Unencrypted passwords must not begin with "$1$", because this is used by Splunk software to determine if the password is already encrypted.

pass4SymmKey_minLength =

• The minimum length, in characters, that a 'pass4SymmKey' should be for a particular stanza.
• When you start the Splunk platform, if the 'pass4SymmKey' is shorter in length than what you specify with this setting, the platform warns you and advises that you change the pass4SymKey.
• If you use the CLI to modify 'pass4SymmKey' to a value that is shorter than what you specify with this setting, the platform warns you and advises that you change the pass4SymKey.
• Default: 12

TLS/SSL Configuration details

[sslConfig]

• Set TLS for communications on the Splunk platform back-end under this stanza name.
  • NOTE: To set TLS (for example HTTPS) for Splunk Web and the browser, use the web.conf configuration file.
• Follow this stanza with any number of the following setting/value pairs.
• If you do not specify an entry for each setting, the Splunk platform uses the default values.

enableSplunkdSSL =

• Whether or not the Splunk daemon uses TLS/SSL on the management port (default 8089) and app key value store (KV Store, default 8191) network ports.
• A value of "true" means that splunkd runs TLS on the management and KV Store ports.
• A value of "false" means that splunkd does not run TLS on any port.
• NOTE: Where practical, do not run splunkd without using TLS.
• Distributed search often performs better when you enable TLS.
• Default: true

useClientSSLCompression =

• Whether or not HTTP client compression is turned on.
• Server-side compression is turned on by default. Setting this on the client-side enables compression between server and client.
• Enabling this potentially gives you much faster distributed searches across multiple Splunk instances.
• CAUTION: There are known performance issues when TLS compression is on. Confirm that the following settings have "false" values before you configure this setting to "true" to avoid double compression:
  • 'conf_deploy_precompress_bundles'
  • 'precompress_cluster_bundle'
  • 'precompress_artifacts'
  • 'preCompressKnowledgeBundlesClassicMode'
  • 'preCompressKnowledgeBundlesCascadeMode'
  • 'useHTTPClientCompression'
• Default: false

useSplunkdClientSSLCompression =

• Whether or not splunkd, as an HTTP client, uses TLS compression during activities like certificate exchange, bundle replication, remote calls, and so on.
• This setting is effective if, and only if, 'useClientSSLCompression' has a value of "true".
• A value of "true" means that splunkd, as a client, uses TLS compression when connecting to other services.
• A value of "false" means that splunkd does not use TLS compression.
• NOTE: splunkd is not involved in data transfer in distributed search, the search in a separate process is.
• Default: true

sslVersions =

• The list of TLS/SSL versions to support for incoming connections.
• The versions available are "ssl3", "tls1.0", "tls1.1", and "tls1.2".
• The special version "*" selects all supported versions. The version "tls" selects all versions tls1.0 or newer.
• If you prefix a version with "-", it means to exclude that version from the list.
• SSLv2 is always disabled; "-ssl2" is accepted in the version list but does nothing.
• If the Splunk platform instance runs in FIPS mode, "ssl3" is always disabled regardless of this configuration.
• The default can vary. See the 'sslVersions' setting in the $SPLUNK_HOME/etc/system/default/server.conf file for the current default

sslVersionsForClient =

• The list of TLS/SSL versions to support for outgoing HTTP connections from splunkd. This includes distributed search, deployment client, etc.
• Configuring this setting is usually less critical than configuring the 'sslVersions' setting, since TLS/SSL always picks the highest version that both client and server support. However, you can use this setting to prohibit making connections to remote servers that only support older protocols.
• The syntax is the same as the 'sslVersions' setting.
• NOTE: For forwarder connections, there is a separate 'sslVersions' setting in the outputs.conf file. For connections to SAML servers, there is a separate 'sslVersions' setting in the authentication.conf file.
• The default can vary. See the 'sslVersionsForClient' setting in the $SPLUNK_HOME/etc/system/default/server.conf file for the current default

supportSSLV3Only =

• DEPRECATED. Use 'sslVersions' or 'sslVersionsForClient' instead.

sslVerifyServerCert =

• Whether or not splunkd, as a client, validates the TLS certificate that a server presents to it when it connects to a server.
• This setting serves as an additional step for authenticating connections to other Splunk platform services. Multiple services can use this setting, including but not limited to distributed search and distributed deployment clients.
  • For distributed search, the client uses this setting when it makes a search request to another search head cluster peer.
  • For distributed deployment, the client uses this setting when it polls a deployment server.
• A value of "true" means that the client inspects and validates the certificate that it receives from the server upon connecting to it.
  • This ensures that the server you are connecting to has a valid TLS/SSL certificate.
  • The client then checks both the X.509 Common Name and Subject Alternative Name of the server in the certificate for a match.
  • If the server does not present a certificate, or the validation check does not pass, then the client terminates the handshake between it and the server immediately, which terminates the connection.
  • NOTE: Certificates that contain the same Common Name as a certificate authority (CA) certificate are not suitable for this validation check, even if the same CA issued the certificate.
• A value of "false" means that the client does not check the TLS certificate that it receives as part of the session negotiation. The client considers any valid TLS certificate as acceptable.
• Default: false

sslCommonNameToCheck =

• One or more X.509 standard Common Names of the server certificate which splunkd, as a client, checks against when it connects to a server using TLS.
• The Common Name (CN) is an X.509 standard field in a certificate that identifies the host name that is associated with the certificate.
  • The CN can be a short host name or a fully qualified domain name. For example, the CN can be one of "example", "www.example.com", or "example.com".
• If the client cannot match the CN in the certificate that the server presents, then the client cannot authenticate the server, and terminates the session negotiation immediately.
• For this setting to have any affect, the 'sslVerifyServerCert' setting must have a value of "true".
• This setting is optional.
• No default (no common name checking).

sslCommonNameList = , , ...

• DEPRECATED. Use the 'sslCommonNameToCheck' setting instead.

sslAltNameToCheck =

• One or more Subject Alternative Names of the server certificate which splunkd, as a client, checks against when it connects to a server using TLS.
• The Subject Alternative Name (SAN) is an extension to the X.509 standard that lets you specify additional host names for a TLS certificate. The SAN can be a short host name or a fully qualified domain name.
• If the client cannot match the SAN in the certificate that the server presents, then the client cannot authenticate the server, and terminates the session negotiation immediately.
• The client does not validate any names in this list against the Common Name.
• For this setting to have any affect, the 'sslVerifyServerCert' setting must have a value of "true".
• This setting is optional.
• No default (no alternative name checking).

requireClientCert =

• Whether or not an HTTPS client which connects to a splunkd server must possess a certificate that a certificate authority signed to complete the connection.
• Multiple services can use this setting, including but not limited to distributed search and distributed deployment clients.
  • Splunk platform indexers must use this setting to connect to other Splunk platform indexers.
  • Deployment clients must present certificates to deployment servers before they can poll the servers for new configurations or applications.
• A value of "true" means that a client can connect only if it has a certificate that was signed by a certificate authority that the splunkd server trusts.
• A value of "false" means that there is no certificate requirement to connect to services on another Splunk platform instance.
• Default: false

sslVerifyServerName =

• Whether or not splunkd, as a client, performs a TLS hostname validation check on a TLS certificate that it receives upon an initial connection to a server.
• A TLS hostname validation check ensures that a client communicates with the correct server, and has not been redirected to another by a machine-in-the-middle attack, where a malicious party inserts themselves between the client and the target server, and impersonates that server during the session.
• Specifically, the validation check forces splunkd to verify that either the Common Name or the Subject Alternative Name in the certificate that the server presents to the client matches the host name portion of the URL that the client used to connect to the server.
• For this setting to have any effect, the 'sslVerifyServerCert' setting must have a value of "true". If it doesn't, TLS hostname validation is not possible because certificate verification is not on.
• A value of "true" for this setting means that splunkd performs a TLS hostname validation check, in effect, verifying the server's name in the certificate.
  • If that check fails, splunkd terminates the TLS handshake immediately. This terminates the connection between the client and the server. Splunkd logs this failure at the ERROR logging level.
• A value of "false" means that splunkd does not perform the TLS hostname validation check. If the server presents an otherwise valid certificate, the client-to-server connection proceeds normally.
• Default: false

caTrustStore = <[splunk],[OS]>

• The type of trust store that the Splunk platform accesses to validate connections over TLS.
• The Splunk platform uses this setting to load certificate authority certificates for this kind of validation.
• A value of "splunk" means the platform only uses the certificate authority certificates in the trust store that the 'sslRootCAPath' setting references.
• A value of "OS" means the platform only uses the CA certificates in the trust store that the operating system on the instance defines.
• Splunk provides support for OS trust store usage on the Linux and Windows operating systems. There is currently no support for loading certificate trust stores on macOS.
• Providing both values ("splunk,OS") means that the platform uses CA certificates within both the Splunk platform and operating system trust stores.
• If a duplicate certificate exists in both types of trust store, the platform prioritizes using the certificate in the Splunk platform trust store.
• This values for this setting are not case sensitive.
• Default: splunk

caTrustStorePath =

• The path to the location of the certificate authority trust store on a machine that runs a distribution of Linux.
• Different Linux distributions use different locations for the CA trust store. This setting lets you configure where the Splunk platform looks for the trust store, based on the distribution of Linux you run.
• If 'caTrustStore' has a value of "OS", but this setting has either no value or an invalid value, then the Splunk platform does not attempt to load any certificates from the OS trust store to validate TLS, and logs an error message in the splunkd.log log file.
• Following are example trust store locations for popular Linux distributions: Debian/Ubuntu/Gentoo: /etc/ssl/certs/ca-certificates.crt Fedora/RHEL 6, 8, 9: /etc/pki/tls/certs/ca-bundle.crt CentOS/RHEL 7: /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
• No default.

cipherSuite =

• A list of cipher suites for splunkd to use.
• If set, Splunk uses the specified cipher string for the HTTP server.
• If not set, Splunk uses the default cipher string that the OpenSSL binary provides.
• If you want to use any Diffie-Hellman ciphers, you must use the 'dhFile' setting.
• The default can vary. See the 'cipherSuite' setting in the $SPLUNK_HOME/etc/system/default/server.conf file for the current default.

ecdhCurveName =

• DEPRECATED. Use the 'ecdhCurves' setting instead.
• Default: empty string

ecdhCurves =

• A list of elliptic curves to use for the Elliptic-curve Diffie-Hellman (ECDH) key negotiation protocol.
• The client sends elliptic curves as part of the Client Hello during a TLS handshake.
• Specify elliptic curves in the order that you prefer them.
• The server supports only the curves specified in the list.
• Splunk software only supports named curves that you specify by their short names.
• You can get the list of valid named curves by their short and long names by running this CLI command: $SPLUNK_HOME/bin/splunk cmd openssl ecparam -list_curves
• Example configuration: "ecdhCurves = prime256v1,secp384r1,secp521r1"
• The default can vary. See the 'ecdhCurves' setting in $SPLUNK_HOME/etc/system/default/server.conf for the current default.

serverCert =

• The full path to the server certificate.
• The Splunk daemon auto-generates certificates when you start Splunk Enterprise the first time.
• Where applicable, replace the default certificate with a certificate that you either create on your own or obtain from a third party.
• For more information about certificates, and how to obtain, create, and install them, search the Securing Splunk Enterprise Manual for "Introduction to Securing the Splunk Platform with TLS".
• The certificate must be in privacy-enhanced mail (PEM) format.
• Default: $SPLUNK_HOME/etc/auth/server.pem

sslKeysfile =

• DEPRECATED. Use the 'serverCert' setting instead.
• The location of the server certificate file, as located in the directory that the DEPRECATED 'caPath' setting references.
• Default: server.pem

sslPassword =

• The password for the server certificate, if you created one.
• Default: password

sslKeysfilePassword =

• DEPRECATED. Use the 'sslPassword' setting instead.

sslRootCAPath =

• The path to the certificate authority (CA), or root certificate store.
• The certificate store must be a file that contains one or more CA certificates that have been concatenated together. This setting expects a value that represents a file object, not a directory object.
• The certificates in the certificate store file must be in privacy-enhanced mail (PEM) format.
• If you run Splunk Enterprise in Common Criteria mode, then you must give this setting a value.
• This setting is valid on Windows machines only if the 'sslRootCAPathHonoredOnWindows' has a value of "true".
• No default.

sslRootCAPathHonoredOnWindows =

• DEPRECATED.
• Whether or not the Splunk instance respects the 'sslRootCAPath' setting on Windows machines.
• This setting is valid only on Windows, and only if you have set 'sslRootCAPath'.
• A value of "true" means that the instance respects the 'sslRootCAPath' setting on Windows machines.
• A value of "false" means that the instance does not respect the 'sslRootCAPath' setting on Windows machines.
• When the 'sslRootCAPath' setting is respected, the instance expects to find a valid PEM file with valid root certificates that are referenced by that path. If a valid file is not present, TLS communication fails.
• Default: true

caCertFile =

• DEPRECATED. Use the 'sslRootCAPath' setting instead.
• The file name for the CA certificate file.
• This file must be in PEM format and contain one or more certificates concatenated together.
• If you have not given the 'sslRootCAPath' setting a value, then Splunk Enterprise attempts to locate a CA certificate using this setting.
• Default: cacert.pem

dhFile =

• The location of the Diffie-Hellman (DH) parameter file.
• This file must be in PEM format.
• The DH group size, which determines the strength of the key that the DH key exchange process uses, must not be fewer than 2048 bits.
• You must specify this file to enable any Diffie-Hellman ciphers.
• No default.

caPath =

• DEPRECATED. Use absolute paths for all certificate files.
• If certificate files given by other settings in this stanza are not absolute paths, then they are relative to this path.
• Default: $SPLUNK_HOME/etc/auth

certCreateScript =