Databases Reference
In-Depth Information
•
$SPLUNK_HOME/etc/system/local
: This is the location of global
configuration overrides specific to this host. There are very few
configurations that need to live here—most configurations that do live
here are created by Splunk itself. In almost all cases, you should make your
configuration files inside of an app.
•
$SPLUNK_HOME/etc/apps/$app_name/default
: This is the proper location
for configurations in an app that will be shared either through Splunkbase
or otherwise.
•
$SPLUNK_HOME/etc/apps/$app_name/local
: This is where most
configurations should live and where all non-private configurations
created through the web interface will be placed.
•
$SPLUNK_HOME/etc/users/$user_name/$app_name/local
: When a search
configuration is created through the web interface, it will have a permission
setting of
Private
and will be created in a user-/app-specific configuration
file. Once permissions are changed, the configuration will move to the
corresponding directory named
$app_name/local
.
There are a few more directories that contain files that are not
.conf
files. We'll talk
about those later in this chapter, under the
User interface resources
section.
The structure of a Splunk configuration
file
The
.conf
files used by Splunk look very similar to
.ini
files. A simple
configuration looks like this:
#settings for foo
[foo]
bar=1
la = 2
Let's look at the following couple of definitions:
•
stanza
: A stanza is used to group attributes. Our stanza in this example is
[foo]
. A common synonym for this is
section
. Keep in mind the following
key points:
° A stanza name must be unique in a single file
° Order does not matter
Search WWH ::
Custom Search