Databases Reference
In-Depth Information
Configuring Splunk
Everything that controls Splunk lives in configuration files sitting in the filesystem
of each instance of Splunk. These files are unencrypted, easily readable, and easily
editable. Almost all of the work that we have done so far has been accomplished
through the web interface, but everything actually ends up in these configuration files.
While the web interface does a lot, there are many options that are not represented in
the admin interface. There are also some things that are simply easier to accomplish
by editing the files directly.
In this chapter, we will cover:
• Locating configuration files
• Merging configurations
• Debugging configurations
• Common configurations and their parameters
Locating Splunk configuration files
Splunk's configuration files live in
$SPLUNK_HOME/etc
. This is reminiscent of
Unix's
/etc
directory but is instead contained within Splunk's directory structure.
This has the advantage that the files don't have to be owned by
root
. In fact, the
entire Splunk installation can run as an unprivileged user (assuming you don't
need to open a port below 1024 or read files only readable by another user).
The directories that contain configurations are:
•
$SPLUNK_HOME/etc/system/default
: The default configuration files
that ship with Splunk. Never edit these files as they will be overwritten
each time you upgrade.
Search WWH ::
Custom Search