├── datatypesbnf.conf ├── livetail.conf ├── livetail.conf.spec ├── pubsub.conf.spec ├── datatypesbnf.conf.spec ├── workload_policy.conf ├── workload_rules.conf ├── literals.conf ├── literals.conf.spec ├── metric_rollups.conf ├── viewstates.conf ├── global-banner.conf ├── multikv.conf ├── deployment.conf.spec ├── audit.conf ├── telemetry.conf ├── workflow_actions.conf ├── ipc_broker.conf ├── workload_pools.conf ├── event_renderers.conf ├── field_filters.conf ├── transactiontypes.conf ├── migration.conf.spec ├── procmon-filters.conf ├── agent_management.conf ├── default-mode.conf ├── passwords.conf.spec ├── bookmarks.conf.spec ├── metric_alerts.conf ├── procmon-filters.conf.spec ├── source-classifier.conf.spec ├── audit.conf.spec ├── serverclass.conf ├── authentication.conf ├── tags.conf.spec ├── workload_policy.conf.spec ├── sourcetypes.conf.spec ├── eventtypes.conf ├── viewstates.conf.spec ├── user-seed.conf.spec ├── collections.conf ├── global-banner.conf.spec ├── datamodels.conf ├── ipc_broker.conf.spec ├── segmenters.conf ├── instance.cfg.spec ├── event_renderers.conf.spec ├── eventdiscoverer.conf.spec ├── serverclass.seed.xml.spec ├── federated.conf ├── commands.conf ├── default.meta.spec ├── default-mode.conf.spec ├── outputs.conf ├── ui-prefs.conf ├── fields.conf ├── distsearch.conf ├── eventtypes.conf.spec ├── macros.conf.spec ├── collections.conf.spec ├── times.conf ├── inputs.conf ├── eventdiscoverer.conf ├── app.conf ├── times.conf.spec ├── ui-prefs.conf.spec ├── checklist.conf.spec ├── segmenters.conf.spec ├── multikv.conf.spec ├── messages.conf.spec ├── ui-tour.conf.spec ├── agent_management.conf.spec ├── field_filters.conf.spec ├── visualizations.conf.spec ├── workload_pools.conf.spec ├── fields.conf.spec ├── metric_rollups.conf.spec ├── user-prefs.conf.spec ├── conf.conf ├── setup.xml.spec ├── transactiontypes.conf.spec └── workflow_actions.conf.spec /datatypesbnf.conf: -------------------------------------------------------------------------------- 1 | # This file intentionally left blank 2 | -------------------------------------------------------------------------------- /livetail.conf: -------------------------------------------------------------------------------- 1 | # This file intentionally left blank 2 | -------------------------------------------------------------------------------- /livetail.conf.spec: -------------------------------------------------------------------------------- 1 | # This file is intentionally empty. 2 | -------------------------------------------------------------------------------- /pubsub.conf.spec: -------------------------------------------------------------------------------- 1 | # This file is intentionally empty. 2 | -------------------------------------------------------------------------------- /datatypesbnf.conf.spec: -------------------------------------------------------------------------------- 1 | # This file intentionally left blank 2 | -------------------------------------------------------------------------------- /workload_policy.conf: -------------------------------------------------------------------------------- 1 | [search_admission_control] 2 | admission_rules_enabled = 0 3 | -------------------------------------------------------------------------------- /workload_rules.conf: -------------------------------------------------------------------------------- 1 | [general] 2 | numeric_search_time_range = true 3 | 4 | [workload_rules_order] 5 | rules = 6 | -------------------------------------------------------------------------------- /literals.conf: -------------------------------------------------------------------------------- 1 | # Version 10.0.2 2 | # 3 | # This file and all forms of literals.conf are now deprecated. 4 | # Instead, use the messages.conf file which is documented 5 | # at "Customize Splunk Web messages" in the Splunk documentation. 6 | -------------------------------------------------------------------------------- /literals.conf.spec: -------------------------------------------------------------------------------- 1 | # Version 10.0.2 2 | # 3 | # This file and all forms of literals.conf are now deprecated. 4 | # Instead, use the messages.conf file which is documented 5 | # at "Customize Splunk Web messages" in the Splunk documentation. 6 | -------------------------------------------------------------------------------- /metric_rollups.conf: -------------------------------------------------------------------------------- 1 | # Version 10.0.2 2 | 3 | ############################################################## 4 | # default values for fields # 5 | ############################################################## 6 | -------------------------------------------------------------------------------- /viewstates.conf: -------------------------------------------------------------------------------- 1 | # Version 10.0.2 2 | # 3 | # Stores UI viewstate information for view persistence 4 | # 5 | 6 | # default stub 7 | [default] 8 | 9 | # empty viewstate to coerce default settings 10 | [flashtimeline:_empty] 11 | module.stub = 0 12 | -------------------------------------------------------------------------------- /global-banner.conf: -------------------------------------------------------------------------------- 1 | [BANNER_MESSAGE_SINGLETON] 2 | global_banner.visible = false 3 | global_banner.message = Sample banner notification text. Please replace with your own message. 4 | global_banner.background_color = blue 5 | global_banner.hyperlink = 6 | global_banner.hyperlink_text = 7 | -------------------------------------------------------------------------------- /multikv.conf: -------------------------------------------------------------------------------- 1 | [PerfmonMk] 2 | pre.start = "\d\d\/\d\d\/\d\d\d\d\s.*" 3 | pre.linecount = 4 4 | header.start = "instance" 5 | header.linecount = 1 6 | header.tokens = _tokenize_, -1, " " 7 | body.tokens = _tokenize_, 0, " " 8 | 9 | [WinNetMonMk] 10 | header.start = "timestamp" 11 | header.linecount = 1 12 | header.tokens = _tokenize_, -1, " " 13 | body.tokens = _tokenize_, 0, " " 14 | -------------------------------------------------------------------------------- /deployment.conf.spec: -------------------------------------------------------------------------------- 1 | # Version 10.0.2 2 | # 3 | # *** REMOVED; NO LONGER USED *** 4 | # 5 | # 6 | # This configuration file has been replaced by: 7 | # 1.) deploymentclient.conf - for configuring Deployment Clients. 8 | # 2.) serverclass.conf - for Deployment Server server class configuration. 9 | # 10 | # 11 | # Compatibility: 12 | # Splunk 4.x Deployment Server is NOT compatible with Splunk 3.x Deployment Clients. 13 | # 14 | -------------------------------------------------------------------------------- /audit.conf: -------------------------------------------------------------------------------- 1 | # Version 10.0.2 2 | # DO NOT EDIT THIS FILE! 3 | # Changes to default files will be lost on update and are difficult to 4 | # manage and support. 5 | # 6 | # Please make any changes to system defaults by overriding them in 7 | # apps or $SPLUNK_HOME/etc/system/local 8 | # (See "Configuration file precedence" in the web documentation). 9 | # 10 | # To override a specific setting, copy the name of the stanza and 11 | # setting to the file where you wish to override it. 12 | 13 | queueing = true 14 | 15 | [auditTrail] 16 | 17 | -------------------------------------------------------------------------------- /telemetry.conf: -------------------------------------------------------------------------------- 1 | # Version 10.0.2 2 | # DO NOT EDIT THIS FILE! 3 | # Changes to default files will be lost on update and are difficult to 4 | # manage and support. 5 | # 6 | # Please make any changes to system defaults by overriding them in 7 | # apps or $SPLUNK_HOME/etc/system/local 8 | # (See "Configuration file precedence" in the web documentation). 9 | # 10 | # To override a specific setting, copy the name of the stanza and 11 | # setting to the file where you wish to override it. 12 | # 13 | # This file configures telemetry settings for the app 14 | # 15 | -------------------------------------------------------------------------------- /workflow_actions.conf: -------------------------------------------------------------------------------- 1 | # Version 10.0.2 2 | [show_source] 3 | type=link 4 | fields = _cd 5 | display_location = event_menu 6 | label = Show Source 7 | link.uri = /app/$@namespace$/show_source?sid=$@sid$&offset=$@offset$&latest_time=$@latest_time$ 8 | 9 | [ifx] 10 | type = link 11 | display_location = event_menu 12 | label = Extract Fields 13 | link.uri = /app/$@namespace$/field_extractor?sid=$@sid$&offset=$@offset$ 14 | 15 | [etb] 16 | type = link 17 | display_location = event_menu 18 | label = Build Event Type 19 | link.uri = /etb?sid=$@sid$&offset=$@offset$&namespace=$@namespace$ 20 | 21 | -------------------------------------------------------------------------------- /ipc_broker.conf: -------------------------------------------------------------------------------- 1 | # Version 9.4.3 2 | # DO NOT EDIT THIS FILE! 3 | # Changes to default files will be lost on update and are difficult to 4 | # manage and support. 5 | # 6 | # Please make any changes to system defaults by overriding them in 7 | # apps or $SPLUNK_HOME/etc/system/local 8 | # (See "Configuration file precedence" in the Splunk documentation). 9 | # 10 | # To override a specific setting, copy the name of the stanza and 11 | # setting to the file where you wish to override it. 12 | # 13 | # This file contains possible settings and values you can use to configure 14 | # settings for the inter-process communication (IPC) broker. 15 | 16 | [ipc_broker_main] 17 | port = 8194 18 | -------------------------------------------------------------------------------- /workload_pools.conf: -------------------------------------------------------------------------------- 1 | # Version 10.0.2 2 | # Please set the value of "os" property appropriately. Currently the workloads management 3 | # system component will only be enabled when os=linux. 4 | # CAUTION: Do not alter the settings in workload_pools.conf unless you know what you are doing. 5 | # Improperly configured workloads may result in splunkd crashes and/or memory overuse. 6 | 7 | [general] 8 | enabled = false 9 | workload_pool_base_dir_name = splunk 10 | 11 | [workload_category:search] 12 | cpu_weight = 70 13 | mem_weight = 70 14 | 15 | [workload_category:ingest] 16 | cpu_weight = 20 17 | mem_weight = 100 18 | 19 | [workload_category:misc] 20 | cpu_weight = 10 21 | mem_weight = 10 22 | -------------------------------------------------------------------------------- /event_renderers.conf: -------------------------------------------------------------------------------- 1 | # Version 10.0.2 2 | # DO NOT EDIT THIS FILE! 3 | # Changes to default files will be lost on update and are difficult to 4 | # manage and support. 5 | # 6 | # Please make any changes to system defaults by overriding them in 7 | # apps or $SPLUNK_HOME/etc/system/local 8 | # (See "Configuration file precedence" in the web documentation). 9 | # 10 | # To override a specific setting, copy the name of the stanza and 11 | # setting to the file where you wish to override it. 12 | # 13 | # This file contains mappings between Splunk eventtypes and event renderers. 14 | # 15 | 16 | [default] 17 | template = //results/EventsViewer_default_renderer.html 18 | priority = 0 19 | css_class = 20 | eventtype = 21 | -------------------------------------------------------------------------------- /field_filters.conf: -------------------------------------------------------------------------------- 1 | # Version 10.0.2 2 | # 3 | ############################################################################ 4 | # OVERVIEW 5 | ############################################################################ 6 | # This file contains descriptions of the settings that you can use to 7 | # configure field filters. 8 | # 9 | # DO NOT EDIT THIS FILE! 10 | # Changes to default files will be lost on update and are difficult to 11 | # manage and support. 12 | # 13 | # Configurations for field filters are stored in 14 | # etc/system/local/field_filters.conf. 15 | # To customize your configuration, create a field_filters.conf file 16 | # at $SPLUNK_HOME/etc/system/local if you are using *nix, or 17 | # %SPLUNK_HOME%\etc\system\local if you are using Windows.# 18 | # 19 | 20 | -------------------------------------------------------------------------------- /transactiontypes.conf: -------------------------------------------------------------------------------- 1 | # Version 10.0.2 2 | # DO NOT EDIT THIS FILE! 3 | # Changes to default files will be lost on update and are difficult to 4 | # manage and support. 5 | # 6 | # Please make any changes to system defaults by overriding them in 7 | # apps or $SPLUNK_HOME/etc/system/local 8 | # (See "Configuration file precedence" in the web documentation). 9 | # 10 | # To override a specific setting, copy the name of the stanza and 11 | # setting to the file where you wish to override it. 12 | # 13 | # This file configures transaction searches and their properties. 14 | # 15 | 16 | [default] 17 | 18 | 19 | # group events that occur in a fast, contiguous run into a transaction. 20 | # if there is ever a pause of more than 2 seconds, break into a 21 | # separate transaction. 22 | [run] 23 | maxpause = 2s 24 | -------------------------------------------------------------------------------- /migration.conf.spec: -------------------------------------------------------------------------------- 1 | # Version 10.0.2 2 | # 3 | # This file maintains the migration status in Splunk Enterprise. 4 | # 5 | # Splunk Enterprise automatically generates the configurations in 6 | # this file during a migration. 7 | # Do not edit any configurations in this file unless instructed to by 8 | # Splunk support. 9 | # 10 | # There is no global, default migration.conf. When migrating between certain 11 | # versions of Splunk Enterprise, Splunk will perform migration actions that 12 | # must only be executed once. To ensure these actions are not performed during 13 | # any subsequent migration, Splunk will create a migration.conf to record 14 | # whether or not particular migration actions have taken place. 15 | # 16 | # To learn more about configuration files (including precedence) please see the 17 | # documentation located at 18 | # http://docs.splunk.com/Documentation/Splunk/latest/Admin/Aboutconfigurationfiles 19 | -------------------------------------------------------------------------------- /procmon-filters.conf: -------------------------------------------------------------------------------- 1 | # Version 10.0.2 2 | # Version 3.0 3 | # DO NOT EDIT THIS FILE! 4 | # Changes to default files will be lost on update and are difficult to 5 | # manage and support. 6 | # 7 | # Please make any changes to system defaults by overriding them in 8 | # apps or $SPLUNK_HOME/etc/system/local 9 | # (See "Configuration file precedence" in the web documentation). 10 | # 11 | # To override a specific setting, copy the name of the stanza and 12 | # setting to the file where you wish to override it. 13 | # 14 | # This file contains potential attribute/value pairs to use when 15 | # configuring Windows process monitoring. The procmon-filters.conf 16 | # file is used in conjunction with sysmon.conf, and contains the 17 | # specific regular expressions you create to refine and filter the 18 | # processes you want Splunk to monitor. 19 | 20 | [default] 21 | hive = .* 22 | 23 | [not-splunk-optimize] 24 | proc = splunk-optimize.exe 25 | type = create|exit|image 26 | 27 | -------------------------------------------------------------------------------- /agent_management.conf: -------------------------------------------------------------------------------- 1 | # Version 10.0.2 2 | # DO NOT EDIT THIS FILE! 3 | # Changes to default files will be lost on update and are difficult to 4 | # manage and support. 5 | # 6 | # Please make any changes to system defaults by overriding them in 7 | # apps or $SPLUNK_HOME/etc/system/local 8 | # (See "Configuration file precedence" in the Splunk documentation). 9 | # 10 | # To override a specific setting, copy the name of the stanza and 11 | # setting to the file where you wish to override it. 12 | # 13 | # This file configures Agent Management feature. 14 | 15 | [general] 16 | fallback_to_deployment_server_ui = false 17 | log_level=INFO 18 | request_timeout=90s 19 | 20 | [search_client] 21 | polling_interval = 500ms 22 | 23 | [splunkd_client] 24 | connection_pool_size = 10 25 | request_timeout = 60s 26 | connection_keep_alive = 11s 27 | 28 | [settings_sync] 29 | polling_interval = 5m 30 | 31 | [effective_configuration] 32 | max_size = 16 33 | cleanup_threshold = 6144 34 | cleanup_schedule = 0 3 * * * 35 | -------------------------------------------------------------------------------- /default-mode.conf: -------------------------------------------------------------------------------- 1 | # Version 10.0.2 2 | # DO NOT EDIT THIS FILE! 3 | # User customization with default-mode.conf is not and cannot be supported. 4 | # 5 | #This file turns off pipelines and processors. 6 | #This is the default configuration 7 | 8 | #Turn off a processor 9 | [pipeline:parsing] 10 | disabled_processors= chunkedlinebreaker, thruput, s2soverhttpoutput-light-forwarder, httpoutchunkbreaker, tcp-output-light-forwarder, send-out-light-forwarder 11 | 12 | [pipeline:winparsing] 13 | disabled_processors = sendOut 14 | 15 | [pipeline:indexerPipe] 16 | disabled_processors = http-output-generic-processor 17 | 18 | [pipeline:vix] 19 | disabled = true 20 | 21 | # Pipeline structuredparsing will only be enabled for UniversalForwarder 22 | # It is not needed for normal mode splunkd 23 | [pipeline:structuredparsing] 24 | disabled = true 25 | 26 | [pipeline:remotequeuetyping] 27 | disabled = true 28 | 29 | [pipeline:remotequeueruleset] 30 | disabled = true 31 | 32 | [pipeline:remotequeueoutput] 33 | disabled_processors = remote_thruput 34 | disabled = true 35 | -------------------------------------------------------------------------------- /passwords.conf.spec: -------------------------------------------------------------------------------- 1 | # Version 10.0.2 2 | # 3 | # This file maintains the credential information for a given app in Splunk Enterprise. 4 | # 5 | # There is no global, default passwords.conf. Instead, anytime a user creates 6 | # a new user or edit a user onwards hitting the storage endpoint 7 | # will create this passwords.conf file which gets replicated 8 | # in a search head clustering enviornment. 9 | # Note that passwords.conf is only created from 6.3.0 release. 10 | # 11 | # You must restart Splunk Enterprise to reload manual changes to passwords.conf. 12 | # 13 | # To learn more about configuration files (including precedence) please see the 14 | # documentation located at 15 | # http://docs.splunk.com/Documentation/Splunk/latest/Admin/Aboutconfigurationfiles 16 | 17 | 18 | [credential:::] 19 | password = 20 | * The password that corresponds to the given username for the given realm. 21 | * NOTE: The realm is optional. 22 | * The password can be in clear text, however when saved from splunkd the 23 | password will always be encrypted. 24 | -------------------------------------------------------------------------------- /bookmarks.conf.spec: -------------------------------------------------------------------------------- 1 | # Version 10.0.2 2 | # 3 | # This file contains possible settings and values for configuring various 4 | # "bookmark" entries to be stored within a Splunk instance. 5 | # 6 | # To add custom bookmarks, place a bookmarks.conf file in 7 | # $SPLUNK_HOME/etc/system/local/ on the Splunk instance. 8 | # configuration content is deployed to a 9 | # given deployment client in serverclass.conf. Refer to 10 | # 11 | # To learn more about configuration files (including precedence), see the 12 | # documentation located at 13 | # http://docs.splunk.com/Documentation/Splunk/latest/Admin/Aboutconfigurationfiles 14 | 15 | [bookmarks_mc:*] 16 | url = 17 | * A bookmark URL that redirects logged-in administrators to other Monitoring 18 | Console instances that may be within their purview. Set this up if you have 19 | administrators who are responsible for the performance and uptime of multiple 20 | Splunk deployments. 21 | * The bookmark appears in the left pane of the Monitoring Console. 22 | * The URL must begin with http:// or https:// and contain 'splunk_monitoring_console'. 23 | * Default: not set 24 | -------------------------------------------------------------------------------- /metric_alerts.conf: -------------------------------------------------------------------------------- 1 | # Version 10.0.2 2 | # DO NOT EDIT THIS FILE! 3 | # Changes to default files will be lost on update and are difficult to 4 | # manage and support. 5 | # 6 | # Please make any changes to system defaults by overriding them in 7 | # apps or $SPLUNK_HOME/etc/system/local 8 | # (See "Configuration file precedence" in the web documentation). 9 | # 10 | # To override a specific setting, copy the name of the stanza and 11 | # setting to the file where you wish to override it. 12 | # 13 | # This file contains possible attribute/value pairs for metric alerts. 14 | # 15 | 16 | ############################################################## 17 | # default values for fields - UI needs these to build forms # 18 | ############################################################## 19 | disabled = 0 20 | description = 21 | condition = 22 | filter = 23 | groupby = 24 | metric_indexes = 25 | trigger.suppress = 26 | trigger.expires = 24h 27 | trigger.max_tracked = 20 28 | action.email.include.trigger_time = 1 29 | action.email.sendresults = 1 30 | action.email.inline = 1 31 | action.email.include.smaDefinition = 0 32 | -------------------------------------------------------------------------------- /procmon-filters.conf.spec: -------------------------------------------------------------------------------- 1 | # Version 10.0.2 2 | # 3 | # *** DEPRECATED *** 4 | # 5 | # 6 | # This file contains potential attribute/value pairs to use when configuring 7 | # Windows registry monitoring. The procmon-filters.conf file contains the 8 | # regular expressions you create to refine and filter the processes you want 9 | # Splunk to monitor. You must restart Splunk to enable configurations. 10 | # 11 | # To learn more about configuration files (including precedence) please see the 12 | # documentation located at 13 | # http://docs.splunk.com/Documentation/Splunk/latest/Admin/Aboutconfigurationfiles 14 | 15 | #### find out if this file is still being used. 16 | 17 | [] 18 | * The name of the filter being defined. 19 | 20 | proc = 21 | * A regular expression that specifies process image that you want 22 | the Splunk platform to monitor. 23 | * No default. 24 | 25 | type = 26 | * A regular expression that specifies the type(s) of process events 27 | that you want the Splunk platform to monitor. 28 | * No default 29 | 30 | hive = 31 | * Not used in this context, but should always have value ".*" 32 | -------------------------------------------------------------------------------- /source-classifier.conf.spec: -------------------------------------------------------------------------------- 1 | # Version 10.0.2 2 | # 3 | # This file contains all possible options for configuring settings for the 4 | # file classifier in source-classifier.conf. 5 | # 6 | # There is a source-classifier.conf in $SPLUNK_HOME/etc/system/default/ To 7 | # set custom configurations, place a source-classifier.conf in 8 | # $SPLUNK_HOME/etc/system/local/. For examples, see 9 | # source-classifier.conf.example. You must restart Splunk to enable 10 | # configurations. 11 | # 12 | # To learn more about configuration files (including precedence) please see 13 | # the documentation located at 14 | # http://docs.splunk.com/Documentation/Splunk/latest/Admin/Aboutconfigurationfiles 15 | 16 | 17 | ignored_model_keywords = 18 | * Terms to ignore when generating a sourcetype model. 19 | * To prevent sourcetype "bundles/learned/*-model.xml" files from containing 20 | sensitive terms (e.g. "bobslaptop") that occur very frequently in your 21 | data files, add those terms to ignored_model_keywords. 22 | 23 | ignored_filename_keywords = 24 | * Terms to ignore when comparing a new sourcename against a known 25 | sourcename, for the purpose of classifying a source. 26 | 27 | -------------------------------------------------------------------------------- /audit.conf.spec: -------------------------------------------------------------------------------- 1 | # Version 10.0.2 2 | # 3 | # This file contains possible attributes and values you can use to configure 4 | # auditing in audit.conf. 5 | # 6 | # There is NO DEFAULT audit.conf. To set custom configurations, place an 7 | # audit.conf in $SPLUNK_HOME/etc/system/local/. For examples, see 8 | # audit.conf.example. You must restart Splunk to enable configurations. 9 | # 10 | # To learn more about configuration files (including precedence) please see the 11 | # documentation located at 12 | # http://docs.splunk.com/Documentation/Splunk/latest/Admin/Aboutconfigurationfiles 13 | 14 | # GLOBAL SETTINGS 15 | # Use the [default] stanza to define any global settings. 16 | # * You can also define global settings outside of any stanza, at the top of the file. 17 | # * Each conf file should have at most one default stanza. If there are 18 | # multiple default stanzas, attributes are combined. In the case of multiple 19 | # definitions of the same attribute, the last definition in the file wins. 20 | # * If an attribute is defined at both the global level and in a specific 21 | # stanza, the value in the specific stanza takes precedence. 22 | 23 | [auditTrail] 24 | queueing = 25 | * Whether or not audit events are sent to the indexQueue. 26 | * If set to "true", audit events are sent to the indexQueue. 27 | * If set to "false", you must add an inputs.conf stanza to tail the 28 | audit log for the events reach your index. 29 | * Default: true 30 | 31 | -------------------------------------------------------------------------------- /serverclass.conf: -------------------------------------------------------------------------------- 1 | # Version 10.0.2 2 | # DO NOT EDIT THIS FILE! 3 | # Changes to default files will be lost on update and are difficult to 4 | # manage and support. 5 | # 6 | # Please make any changes to system defaults by overriding them in 7 | # apps or $SPLUNK_HOME/etc/system/local 8 | # (See "Configuration file precedence" in the web documentation). 9 | # 10 | # To override a specific setting, copy the name of the stanza and 11 | # setting to the file where you wish to override it. 12 | # 13 | # This file defines server classes to which deployment clients can belong, for 14 | # the purposes of distributing Splunk configuration data. The per-class 15 | # attributes and values specify what content a given server class member will 16 | # receive from the deployment server. 17 | # 18 | # To learn more about configuration files (including precedence) please see the documentation 19 | # located at http://docs.splunk.com/Documentation/Splunk/latest/Admin/Aboutconfigurationfiles 20 | 21 | 22 | [global] 23 | crossServerChecksum = false 24 | repositoryLocation = $SPLUNK_HOME/etc/deployment-apps 25 | targetRepositoryLocation = $SPLUNK_HOME/etc/apps 26 | tmpFolder = $SPLUNK_HOME/var/run/tmp 27 | 28 | stateOnClient = enabled 29 | 30 | restartSplunkWeb = False 31 | restartSplunkd = False 32 | issueReload = false 33 | continueMatching = true 34 | endpoint = $deploymentServerUri$/services/streams/deployment?name=$tenantName$:$serverClassName$:$appName$ 35 | 36 | filterType = whitelist 37 | 38 | -------------------------------------------------------------------------------- /authentication.conf: -------------------------------------------------------------------------------- 1 | # Version 10.0.2 2 | # DO NOT EDIT THIS FILE! 3 | # Changes to default files will be lost on update and are difficult to 4 | # manage and support. 5 | # 6 | # Please make any changes to system defaults by overriding them in 7 | # apps or $SPLUNK_HOME/etc/system/local 8 | # (See "Configuration file precedence" in the web documentation). 9 | # 10 | # To override a specific setting, copy the name of the stanza and 11 | # setting to the file where you wish to override it. 12 | # 13 | # This file configures authentication. 14 | 15 | [authentication] 16 | authType = Splunk 17 | passwordHashAlgorithm = SHA512-crypt 18 | 19 | # Note: the caching specified in this stanza only applies to scripted authentication. 20 | # If you are using scripted authentication, you can override these cache timing values in 21 | # your $SPLUNK_HOME/etc/system/local/authentication.conf 22 | [cacheTiming] 23 | userLoginTTL = 0 24 | userInfoTTL = 10 25 | 26 | [secrets] 27 | filename = gnome_keyring.py 28 | python.version = latest 29 | namespace = splunk 30 | 31 | [splunk_auth] 32 | minPasswordLength = 8 33 | minPasswordUppercase = 0 34 | minPasswordLowercase = 0 35 | minPasswordSpecial = 0 36 | minPasswordDigit = 0 37 | expirePasswordDays = 90 38 | expireAlertDays = 15 39 | expireUserAccounts = false 40 | forceWeakPasswordChange = false 41 | lockoutUsers = true 42 | lockoutAttempts = 5 43 | lockoutThresholdMins = 5 44 | lockoutMins = 30 45 | enablePasswordHistory = false 46 | passwordHistoryCount = 24 47 | constantLoginTime = 0 48 | verboseLoginFailMsg = true 49 | 50 | -------------------------------------------------------------------------------- /tags.conf.spec: -------------------------------------------------------------------------------- 1 | # Version 10.0.2 2 | # 3 | # This file contains possible attribute/value pairs for configuring tags. Set 4 | # any number of tags for indexed or extracted fields. 5 | # 6 | # There is no tags.conf in $SPLUNK_HOME/etc/system/default/. To set custom 7 | # configurations, place a tags.conf in $SPLUNK_HOME/etc/system/local/. For 8 | # examples, see tags.conf.example. You must restart Splunk software to enable 9 | # configurations. 10 | # 11 | # To learn more about configuration files (including precedence) please see the 12 | # documentation located at 13 | # http://docs.splunk.com/Documentation/Splunk/latest/Admin/Aboutconfigurationfiles 14 | 15 | [=] 16 | * The field name and value to which the tags in the stanza 17 | apply. For example, host=localhost. 18 | * A tags.conf file can contain multiple stanzas. It is recommended that the 19 | value be URL encoded to avoid configuration file parsing errors, especially 20 | if the field value contains the following characters: \n, =, [] 21 | * Each stanza can refer to only one field/value pair. 22 | 23 | = 24 | = 25 | = 26 | * Enable or disable each for this specific field/value pair. 27 | * While you can have multiple tags in a stanza (meaning that multiple tags are 28 | assigned to the same field/value combination), only one tag is allowed per 29 | stanza line. In other words, you can't have a list of tags on one line of the 30 | stanza. 31 | * CAUTION: Do not put the value in quotes. For example, 32 | use foo=enabled, not "foo"=enabled. 33 | -------------------------------------------------------------------------------- /workload_policy.conf.spec: -------------------------------------------------------------------------------- 1 | # Version 10.0.2 2 | # 3 | ############################################################################ 4 | # OVERVIEW 5 | ############################################################################ 6 | # This file contains descriptions of the settings that you can use to 7 | # configure search admission control for splunk. 8 | # 9 | # There is a workload_policy.conf file in the $SPLUNK_HOME/etc/system/default/ directory. 10 | # Never change or copy the configuration files in the default directory. 11 | # The files in the default directory must remain intact and in their original 12 | # location. 13 | # 14 | # To set custom configurations, create a new file with the name workload_policy.conf in 15 | # the $SPLUNK_HOME/etc/system/local/ directory. Then add the specific settings 16 | # that you want to customize to the local configuration file. 17 | # For examples, see workload_policy.conf.example. You may need to restart the Splunk instance 18 | # to enable configuration changes. 19 | # 20 | # To learn more about configuration files (including file precedence) see the 21 | # documentation located at 22 | # http://docs.splunk.com/Documentation/Splunk/latest/Admin/Aboutconfigurationfiles 23 | # 24 | # Settings to configure search admission control, including enabling/disabling feature 25 | # and other configurations. 26 | 27 | [search_admission_control] 28 | admission_rules_enabled = 29 | * Determines whether admission rules are applied to searches. 30 | * If set to true, admission rules for pre-filtering searches are applied when a search 31 | is dispatched. 32 | * Default: 0 33 | -------------------------------------------------------------------------------- /sourcetypes.conf.spec: -------------------------------------------------------------------------------- 1 | # Version 10.0.2 2 | # 3 | # NOTE: sourcetypes.conf is a machine-generated file that stores the document 4 | # models used by the file classifier for creating source types. 5 | 6 | # Generally, you should not edit sourcetypes.conf, as most attributes are 7 | # machine generated. However, there are two attributes which you can change. 8 | # 9 | # There is a sourcetypes.conf in $SPLUNK_HOME/etc/system/default/ To set custom 10 | # configurations, place a sourcetypes..conf in $SPLUNK_HOME/etc/system/local/. 11 | # For examples, see sourcetypes.conf.example. You must restart Splunk to enable 12 | # configurations. 13 | # 14 | # To learn more about configuration files (including precedence) please see the 15 | # documentation located at 16 | # http://docs.splunk.com/Documentation/Splunk/latest/Admin/Aboutconfigurationfiles 17 | 18 | # GLOBAL SETTINGS 19 | # Use the [default] stanza to define any global settings. 20 | # * You can also define global settings outside of any stanza, at the top of 21 | # the file. 22 | # * Each conf file should have at most one default stanza. If there are 23 | # multiple default stanzas, attributes are combined. In the case of 24 | # multiple definitions of the same attribute, the last definition in the 25 | # file wins. 26 | # * If an attribute is defined at both the global level and in a specific 27 | # stanza, the value in the specific stanza takes precedence. 28 | 29 | 30 | _sourcetype = 31 | * Specifies the sourcetype for the model. 32 | * Change this to change the model's sourcetype. 33 | * Future sources that match the model will receive a sourcetype of this new 34 | name. 35 | 36 | _source = 37 | * Specifies the source (filename) for the model. 38 | -------------------------------------------------------------------------------- /eventtypes.conf: -------------------------------------------------------------------------------- 1 | # Version 10.0.2 2 | # DO NOT EDIT THIS FILE! 3 | # Changes to default files will be lost on update and are difficult to 4 | # manage and support. 5 | # 6 | # Please make any changes to system defaults by overriding them in 7 | # apps or $SPLUNK_HOME/etc/system/local 8 | # (See "Configuration file precedence" in the web documentation). 9 | # 10 | # To override a specific setting, copy the name of the stanza and 11 | # setting to the file where you wish to override it. 12 | # 13 | # This file contains configures eventtypes and their properties. 14 | # 15 | 16 | [default] 17 | disabled = 0 18 | tags = 19 | search = 20 | description = 21 | priority = 1 22 | color = 23 | 24 | #################################################### 25 | # For more eventtypes, please visit SplunkBase.com # 26 | #################################################### 27 | 28 | #################################################### 29 | # Example eventtype. 30 | # 31 | # [cisco_internetIn_denied] 32 | # search = sourcetype::cisco_syslog InternetIn denied 33 | # priority = 5 34 | # 35 | #################################################### 36 | [internal_search_terms] 37 | search = ( "After evaluating args" OR "Before evaluating args" OR "context dispatched for search=" OR "SearchParser - PARSING" OR "got search" OR "_dispatchNewSearch - search" OR "search:* - q" OR ( decomposition fullsearch ) OR "PAAAAAARSER! - search" OR "view:* - DECOMPOSITION" OR "Splunk.Module.SearchBar .setInputField" OR ( typeahead prefix ) OR "DEBUG HTTPServer - Deleting request=GET" OR /en-US/api/search/typeahead ) 38 | 39 | [splunkd-log] 40 | search = index=_internal source=*/splunkd.log OR source=*\\splunkd.log 41 | 42 | [splunkd-access] 43 | search = index=_internal source=*/splunkd_access.log OR source=*\\splunkd_access.log 44 | -------------------------------------------------------------------------------- /viewstates.conf.spec: -------------------------------------------------------------------------------- 1 | # Version 10.0.2 2 | # 3 | # This file explains how to format viewstates. 4 | # 5 | # To use this configuration, copy the configuration block into 6 | # viewstates.conf in $SPLUNK_HOME/etc/system/local/. You must restart Splunk 7 | # to enable configurations. 8 | # 9 | # To learn more about configuration files (including precedence) please see 10 | # the documentation located at 11 | # http://docs.splunk.com/Documentation/Splunk/latest/Admin/Aboutconfigurationfiles 12 | 13 | # GLOBAL SETTINGS 14 | # Use the [default] stanza to define any global settings. 15 | # * You can also define global settings outside of any stanza, at the top 16 | # of the file. 17 | # * Each conf file should have at most one default stanza. If there are 18 | # multiple default stanzas, attributes are combined. In the case of 19 | # multiple definitions of the same attribute, the last definition in the 20 | # file wins. 21 | # * If an attribute is defined at both the global level and in a specific 22 | # stanza, the value in the specific stanza takes precedence. 23 | 24 | 25 | [:] 26 | * Auto-generated persistence stanza label that corresponds to UI views 27 | * The is the URI name (not label) of the view to persist 28 | * if = "*", then this viewstate is considered to be 'global' 29 | * The is the unique identifier assigned to this set of 30 | parameters 31 | * = '_current' is a reserved name for normal view 32 | 'sticky state' 33 | * = '_empty' is a reserved name for no persistence, 34 | i.e., all defaults 35 | 36 | . = 37 | * The is the runtime id of the UI module requesting persistence 38 | * The is the setting designated by to persist 39 | -------------------------------------------------------------------------------- /user-seed.conf.spec: -------------------------------------------------------------------------------- 1 | # Version 10.0.2 2 | # 3 | # Specification for user-seed.conf. Allows configuration of Splunk's 4 | # initial username and password. Currently, only one user can be configured 5 | # with user-seed.conf. 6 | # 7 | # Specification for user-seed.conf. Allows configuration of Splunk's initial username and password. 8 | # Currently, only one user can be configured with user-seed.conf. 9 | # 10 | # To set the default username and password, place user-seed.conf in 11 | # $SPLUNK_HOME/etc/system/local. You must restart Splunk to enable configurations. 12 | # If the $SPLUNK_HOME/etc/passwd file is present, the settings in this file (user-seed.conf) are not used. 13 | # 14 | # Use HASHED_PASSWORD for a more secure installation. To hash a clear-text password, 15 | # use the 'splunk hash-passwd' command then copy the output to this file. 16 | # 17 | # If a clear text password is set (not recommended) and last character is '\', it should 18 | # be followed by a space for value to be read correctly. Password does not include extra 19 | # space at the end, it is required to ignore the special meaning of backslash in conf file. 20 | # 21 | # http://docs.splunk.com/Documentation/Splunk/latest/Admin/Aboutconfigurationfiles 22 | # To learn more about configuration files (including precedence) please see the documentation 23 | # located at http://docs.splunk.com/Documentation/Splunk/latest/Admin/Aboutconfigurationfiles 24 | 25 | [user_info] 26 | * Default is Admin. 27 | 28 | USERNAME = 29 | * Username you want to associate with a password. 30 | * Default is Admin. 31 | 32 | PASSWORD = 33 | * Password you wish to set for that user. 34 | * Password must meet complexity requirements. 35 | 36 | HASHED_PASSWORD = 37 | * Password hash you wish to set for that user. 38 | -------------------------------------------------------------------------------- /collections.conf: -------------------------------------------------------------------------------- 1 | # Version 10.0.2 2 | # DO NOT EDIT THIS FILE! 3 | # Please make all changes to files in $SPLUNK_HOME/etc/system/local. 4 | # To make changes, copy the section/stanza you want to change from $SPLUNK_HOME/etc/system/default 5 | # into ../local and edit there. 6 | # 7 | # Configuration for KV Store collections 8 | # 9 | 10 | ############## 11 | # defaults for all collection 12 | ############## 13 | 14 | [default] 15 | type = undefined 16 | profilingEnabled = false 17 | profilingThresholdMs = 1000 18 | replicate = false 19 | replication_dump_strategy = auto 20 | replication_dump_maximum_file_size = 10240 21 | 22 | [SavedSearchHistory] 23 | type = internal_cache 24 | 25 | [SearchHeadClusterHealthStates] 26 | type = internal_cache 27 | 28 | [SearchHistory] 29 | accelerated_fields.history = { "timestamp":1 } 30 | 31 | [SamlIdpCerts] 32 | disabled = true 33 | 34 | [SSLCertificates] 35 | disabled = true 36 | 37 | [SearchHeadClusterMemberInfo] 38 | type = internal_cache 39 | 40 | [RecentlyViewedKO] 41 | 42 | [HomePageAdminConfig] 43 | 44 | [HomePage] 45 | 46 | [Favorites] 47 | accelerated_fields.id = {"id": 1, "app": 1} 48 | accelerated_fields.title = {"title": 1} 49 | 50 | [KOFavorites] 51 | accelerated_fields.title = {"title": 1} 52 | 53 | # Used as storage for Token authorization 54 | [JsonWebTokensV1] 55 | disabled = true 56 | 57 | [LookupDumpDistribution] 58 | type = internal_cache 59 | 60 | 61 | [Spl2Modules] 62 | 63 | [Spl2Permissions] 64 | 65 | [DistributedLeases] 66 | 67 | [LoggedOutSessionTokens] 68 | disabled = true 69 | # The unique token uid is stored as _key 70 | field.expiration = number 71 | field.inserted = number 72 | accelerated_fields.ac_inserted = {"inserted" : 1} 73 | 74 | # Used as storage for SAML user's TTL when AuthExts or AQRs are enabled 75 | [SAMLUserLastAccessedTimestamp] 76 | 77 | [QueuedStatisticsReplication] 78 | -------------------------------------------------------------------------------- /global-banner.conf.spec: -------------------------------------------------------------------------------- 1 | # Version 10.0.2 2 | # 3 | ############################################################################ 4 | # OVERVIEW 5 | ############################################################################ 6 | # This file contains descriptions of the settings that you can use to 7 | # configure a global banner at the top of every page in Splunk, above the Splunk bar. 8 | # 9 | # Each stanza controls different search commands settings. 10 | # 11 | # There is a global-banner.conf file in the $SPLUNK_HOME/etc/system/default/ directory. 12 | # Never change or copy the configuration files in the default directory. 13 | # The files in the default directory must remain intact and in their original 14 | # location. 15 | # 16 | # To set custom configurations, create a new file with the name global-banner.conf in 17 | # the $SPLUNK_HOME/etc/system/local/ directory. Then add the specific settings 18 | # that you want to customize to the local configuration file. 19 | # For examples, see global-banner.conf.example. You must restart the Splunk instance 20 | # to enable configuration changes. 21 | # 22 | # To learn more about configuration files (including file precedence) see the 23 | # documentation located at 24 | # http://docs.splunk.com/Documentation/Splunk/latest/Admin/Aboutconfigurationfiles 25 | 26 | [BANNER_MESSAGE_SINGLETON] 27 | * IMPORTANT: It is only possible to declare one global banner. This is the only 28 | stanza that Splunk Web will read. 29 | 30 | global_banner.visible = 31 | * Default: false 32 | 33 | global_banner.message = 34 | * Default: Sample banner notification text. Please replace with your own message. 35 | 36 | global_banner.background_color = [green|blue|yellow|orange|red] 37 | * Default: blue 38 | 39 | global_banner.hyperlink = [http://|https://] 40 | * Default: none 41 | 42 | global_banner.hyperlink_text = 43 | * Default: none 44 | -------------------------------------------------------------------------------- /datamodels.conf: -------------------------------------------------------------------------------- 1 | # Version 10.0.2 2 | # DO NOT EDIT THIS FILE! 3 | # Changes to default files will be lost on update and are difficult to 4 | # manage and support. 5 | # 6 | # Please make any changes to system defaults by overriding them in 7 | # apps or $SPLUNK_HOME/etc/system/local 8 | # (See "Configuration file precedence" in the web documentation). 9 | # 10 | # To override a specific setting, copy the name of the stanza and 11 | # setting to the file where you wish to override it. 12 | # 13 | # This file contains configurations for datamodels and their properties. 14 | # 15 | 16 | [default] 17 | acceleration = false 18 | acceleration.earliest_time = 19 | acceleration.backfill_time = 20 | acceleration.max_time = 3600 21 | acceleration.allow_skew = 0 22 | acceleration.cron_schedule = */5 * * * * 23 | acceleration.schedule_priority = default 24 | acceleration.manual_rebuilds = false 25 | acceleration.poll_buckets_until_maxtime = false 26 | acceleration.max_concurrent = 3 27 | acceleration.allow_old_summaries = false 28 | acceleration.source_guid = 29 | acceleration.hunk.compression_codec = 30 | acceleration.hunk.dfs_block_size = 31 | acceleration.hunk.file_format = 32 | acceleration.workload_pool = 33 | 34 | ## dataset related 35 | dataset.description = 36 | dataset.type = datamodel 37 | dataset.commands = 38 | dataset.fields = 39 | dataset.display.diversity = latest 40 | dataset.display.sample_ratio = 1 41 | dataset.display.limiting = 100000 42 | dataset.display.currentCommand = 43 | dataset.display.mode = table 44 | dataset.display.datasummary.earliestTime = 45 | dataset.display.datasummary.latestTime = 46 | 47 | strict_fields = true 48 | -------------------------------------------------------------------------------- /ipc_broker.conf.spec: -------------------------------------------------------------------------------- 1 | # Version 9.4.3 2 | # 3 | ############################################################################ 4 | # OVERVIEW 5 | ############################################################################ 6 | # This file contains descriptions of the settings that you can use to 7 | # configure the inter-process communication (IPC) broker. 8 | # 9 | # There is an ipc_broker.conf file in the $SPLUNK_HOME/etc/system/default/ directory. 10 | # Never change or copy the configuration files in the default directory. 11 | # The files in the default directory must remain intact and in their original 12 | # location. 13 | # 14 | # To set custom configurations, create a new file with the name ipc_broker.conf in 15 | # the $SPLUNK_HOME/etc/system/local/ directory. Then add the specific settings 16 | # that you want to customize to the local configuration file. 17 | # You must restart the Splunk instance to enable configuration changes. 18 | # 19 | # To learn more about configuration files (including file precedence) see the 20 | # documentation located at 21 | # http://docs.splunk.com/Documentation/Splunk/latest/Admin/Aboutconfigurationfiles 22 | 23 | 24 | # IPC broker settings. This stanza must exist. 25 | [ipc_broker_main] 26 | port = 27 | * The TCP/IP network port that the IPC broker process uses to serve incoming requests. 28 | * The lowest valid value is 1025 and the highest is 65535. 29 | * No default. 30 | 31 | 32 | # Splunkd helper process settings. 33 | [:] 34 | * Use this stanza type to specify settings for a specific service within 35 | a helper process for splunkd. If you do not specify a , then the settings 36 | apply to the default service within that []. 37 | port = 38 | * The TCP/IP network port that the splunkd helper process uses to serve incoming requests. 39 | * The lowest valid value is 1025 and the highest is 65535. 40 | * No default. 41 | -------------------------------------------------------------------------------- /segmenters.conf: -------------------------------------------------------------------------------- 1 | # Version 10.0.2 2 | # DO NOT EDIT THIS FILE! 3 | # Changes to default files will be lost on update and are difficult to 4 | # manage and support. 5 | # 6 | # Please make any changes to system defaults by overriding them in 7 | # apps or $SPLUNK_HOME/etc/system/local 8 | # (See "Configuration file precedence" in the web documentation). 9 | # 10 | # To override a specific setting, copy the name of the stanza and 11 | # setting to the file where you wish to override it. 12 | # 13 | # This file contains configuration for segmentation of events. 14 | 15 | 16 | MAJOR = [ ] < > ( ) { } | ! ; , ' " * \n \r \s \t & ? + %21 %26 %2526 %3B %7C %20 %2B %3D -- %2520 %5D %5B %3A %0A %2C %28 %29 17 | #The %xx are for url-encoded characters that should be broken on 18 | MINOR = / : = @ . - $ # % \\ _ 19 | 20 | [full] 21 | 22 | [indexing] 23 | # change INTERMEDIATE_MAJORS to "true" if you want an ip address to appear in typeahead as a, a.b, a.b.c, a.b.c.d 24 | # the typical effect on performance by setting to "true" is 30% 25 | INTERMEDIATE_MAJORS = false 26 | 27 | [search] 28 | MAJOR = [ ] < > ( ) { } | ! ; , ' " \n \r \s \t & ? + %21 %26 %2526 %3B %7C %20 %2B %3D -- %2520 %5D %5B %3A %0A %2C %28 %29 / : = @ . - $ # % \\ _ 29 | MINOR = 30 | 31 | [standard] 32 | MAJOR = [ ] < > ( ) { } | ! ; , ' " * \n \r \s \t / : = @ . ? - & $ # + % _ \\ %21 %26 %2526 %3B %7C %20 %2B %3D -- %2520 33 | MINOR = 34 | 35 | [inner] 36 | MAJOR = [ ] < > ( ) { } | ! ; , ' " * \n \r \s \t / : = @ . ? - & $ # + % _ \\ %21 %26 %2526 %3B %7C %20 %2B %3D -- %2520 37 | MINOR = 38 | 39 | [outer] 40 | MAJOR = [ ] < > ( ) { } | ! ; , ' " * \n \r \s \t & ? + %21 %26 %2526 %3B %7C %20 %2B %3D -- %2520 41 | MINOR = 42 | 43 | [none] 44 | MAJOR = 45 | MINOR = 46 | MAJOR_COUNT = 0 47 | LOOKAHEAD = 0 48 | MINOR_COUNT = 0 49 | 50 | 51 | [whitespace-only] 52 | MAJOR = \n \r \s \t %20 53 | MINOR = 54 | 55 | 56 | #Don't delete or change this tokenizer it is needed to tokenize meta information internal 57 | [meta-tokenizer] 58 | MAJOR = \s 59 | MINOR = 60 | -------------------------------------------------------------------------------- /instance.cfg.spec: -------------------------------------------------------------------------------- 1 | # Version 10.0.2 2 | # 3 | # This file contains the set of attributes and values you can expect to find in 4 | # the SPLUNK_HOME/etc/instance.cfg file; the instance.cfg file is not to be 5 | # modified or removed by user. LEAVE THE instance.cfg FILE ALONE. 6 | # 7 | 8 | # 9 | # GLOBAL SETTINGS 10 | # The [general] stanza defines global settings. 11 | # 12 | [general] 13 | 14 | guid = 15 | * This setting formerly (before 5.0) belonged in the [general] stanza of 16 | server.conf file. 17 | 18 | * Splunk expects that every Splunk instance will have a unique string for this 19 | value, independent of all other Splunk instances. By default, Splunk will 20 | arrange for this without user intervention. 21 | 22 | * Currently used by (not exhaustive): 23 | * Clustering environments, to identify participating nodes. 24 | * Splunk introspective searches (Splunk on Splunk, Deployment Monitor, 25 | etc.), to identify forwarders. 26 | 27 | * At startup, the following happens: 28 | 29 | * If server.conf has a value of 'guid' AND instance.cfg has no value of 30 | 'guid', then the value will be erased from server.conf and moved to 31 | instance.cfg file. 32 | 33 | * If server.conf has a value of 'guid' AND instance.cfg has a value of 34 | 'guid' AND these values are the same, the value is erased from 35 | server.conf file. 36 | 37 | * If server.conf has a value of 'guid' AND instance.cfg has a value of 'guid' 38 | AND these values are different, startup halts and error is shown. Operator 39 | must resolve this error. We recommend erasing the value from server.conf 40 | file, and then restarting. 41 | 42 | * If you are hitting this error while trying to mass-clone Splunk installs, 43 | please look into the command 'splunk clone-prep-clear-config'; 44 | 'splunk help' has help. 45 | 46 | * See http://www.ietf.org/rfc/rfc4122.txt for how a GUID (a.k.a. UUID) is 47 | constructed. 48 | 49 | * The standard regexp to match an all-uppercase GUID is 50 | "[0-9A-F]{8}-[0-9A-F]{4}-[0-9A-F]{4}-[0-9A-F]{4}-[0-9A-F]{12}". 51 | -------------------------------------------------------------------------------- /event_renderers.conf.spec: -------------------------------------------------------------------------------- 1 | # Version 10.0.2 2 | # 3 | # This file contains possible attribute/value pairs for configuring event rendering properties. 4 | # 5 | # Beginning with version 6.0, Splunk Enterprise does not support the 6 | # customization of event displays using event renderers. 7 | # 8 | # There is an event_renderers.conf in $SPLUNK_HOME/etc/system/default/. To set custom configurations, 9 | # place an event_renderers.conf in $SPLUNK_HOME/etc/system/local/, or your own custom app directory. 10 | # 11 | # To learn more about configuration files (including precedence) please see the documentation 12 | # located at http://docs.splunk.com/Documentation/Splunk/latest/Admin/Aboutconfigurationfiles 13 | 14 | # GLOBAL SETTINGS 15 | # Use the [default] stanza to define any global settings. 16 | # * You can also define global settings outside of any stanza, at the top of the file. 17 | # * Each conf file should have at most one default stanza. If there are multiple default 18 | # stanzas, attributes are combined. In the case of multiple definitions of the same 19 | # attribute, the last definition in the file wins. 20 | # * If an attribute is defined at both the global level and in a specific stanza, the 21 | # value in the specific stanza takes precedence. 22 | 23 | [] 24 | * Stanza name. This name must be unique. 25 | 26 | eventtype = 27 | * Specify event type name from eventtypes.conf. 28 | 29 | priority = 30 | * Highest number wins!! 31 | 32 | template = 33 | * Any template from the $APP/appserver/event_renderers directory. 34 | 35 | css_class = 36 | * This can be any valid css class value. 37 | * The value is appended to a standard suffix string of "splEvent-". A css_class value of foo would 38 | result in the parent element of the event having an html attribute class with a value of splEvent-foo 39 | (for example, class="splEvent-foo"). You can externalize your css style rules for this in 40 | $APP/appserver/static/application.css. For example, to make the text red you would add to 41 | application.css:.splEvent-foo { color:red; } 42 | -------------------------------------------------------------------------------- /eventdiscoverer.conf.spec: -------------------------------------------------------------------------------- 1 | # Version 10.0.2 2 | 3 | # This file contains possible settings and values you can use to configure 4 | # event discovery through the search command "typelearner." 5 | # 6 | # There is an eventdiscoverer.conf in $SPLUNK_HOME/etc/system/default/. To set 7 | # custom configurations, place an eventdiscoverer.conf in 8 | # $SPLUNK_HOME/etc/system/local/. For examples, see 9 | # eventdiscoverer.conf.example. You must restart Splunk to enable 10 | # configurations. 11 | # 12 | # To learn more about configuration files (including precedence) please see the 13 | # documentation located at 14 | # http://docs.splunk.com/Documentation/Splunk/latest/Admin/Aboutconfigurationfiles 15 | 16 | # GLOBAL SETTINGS 17 | # Use the [default] stanza to define any global settings. 18 | # * You can also define global settings outside of any stanza, at the top of 19 | # the file. 20 | # * Each conf file should have at most one default stanza. If there are 21 | # multiple default stanzas, attributes are combined. In the case of 22 | # multiple definitions of the same attribute, the last definition in the 23 | # file wins. 24 | # * If an attribute is defined at both the global level and in a specific 25 | # stanza, the value in the specific stanza takes precedence. 26 | 27 | ignored_keywords = 28 | * If you find that event types have terms you do not want considered (for 29 | example, "mylaptopname"), add that term to this list. 30 | * Terms in this list are never considered for defining an event type. 31 | * For more details, see $SPLUNK_HOME/etc/system/default/eventdiscoverer.conf). 32 | * Default = "sun, mon, tue,..." 33 | 34 | ignored_fields = 35 | * Similar to ignored_keywords, except these are fields as defined in Splunk 36 | instead of terms. 37 | * Defaults include time-related fields that would not be useful for defining an 38 | event type. 39 | 40 | important_keywords = 41 | * When there are multiple possible phrases for generating an eventtype search, 42 | those phrases with important_keyword terms are favored. For example, 43 | "fatal error" would be preferred over "last message repeated", as "fatal" is 44 | an important keyword. 45 | * Default = "abort, abstract, accept,..." 46 | * For the full default setting, see $SPLUNK_HOME/etc/system/default/eventdiscoverer.conf. 47 | -------------------------------------------------------------------------------- /serverclass.seed.xml.spec: -------------------------------------------------------------------------------- 1 | # Version 10.0.2 2 | 3 | 9 | 10 | 11 | 12 | 16 | $deploymentServerUri$/services/streams/deployment?name=$serviceClassName$:$appName$ 17 | 18 | 23 | $SPLUNK_HOME/etc/apps 24 | 25 | 26 | 29 | N 30 | 31 | 34 | $SPLUNK_HOME/etc/myapps 35 | splunk.com/spacecake/$serviceClassName$/$appName$.tgz 36 | 37 | 40 | true 41 | false 42 | false 43 | enabled 44 | 45 | 46 | 49 | splunk.com/spacecake/$appName$ 50 | 51 | 52 | 53 | 54 | 55 | 56 | -------------------------------------------------------------------------------- /federated.conf: -------------------------------------------------------------------------------- 1 | # Version 10.0.2 2 | # DO NOT EDIT THIS FILE! 3 | # Changes to default files will be lost on update and are difficult to 4 | # manage and support. 5 | # 6 | # Please make any changes to system defaults by overriding them in 7 | # apps or $SPLUNK_HOME/etc/system/local 8 | # (See "Configuration file precedence" in the web documentation). 9 | # 10 | # To override a specific setting, copy the name of the stanza and 11 | # setting to the file where you wish to override it. 12 | # 13 | # 14 | [default] 15 | 16 | [provider:splunk] 17 | type = splunk 18 | useFSHKnowledgeObjects = false 19 | mode = standard 20 | 21 | [general] 22 | needs_consent = true 23 | controlCommandsMaxThreads = 5 24 | controlCommandsMaxTimeThreshold = 5 25 | controlCommandsFeatureEnabled = true 26 | allowLookupsToExistOnlyOnRshForStandardMode = true 27 | allowedAndDefaultFederatedProvidersEnabled = true 28 | previewOnRshEnabled = false 29 | proxyBundlesTTL = 172800 30 | remoteEventsDownloadRetryCountMax = 20 31 | remoteEventsDownloadRetryTimeoutMs = 1000 32 | max_preview_generation_duration = 0 33 | max_preview_generation_inputcount = 0 34 | s2s_standard_mode_local_only_commands = mcollect, outputlookup, sendalert, sendemail 35 | enable_streaming_optimization = false 36 | federated_search_remote_ttl = 600 37 | allowAstProjectionElim = false 38 | allowAstPredicateMerge = false 39 | allowAstInsertRedistributeCommand = false 40 | allowAstReplaceChartCmdsWithTstats = false 41 | allowAstReplaceDatamodelStatsCmdsWithTstats = false 42 | allowAstReplaceTableWithFields = false 43 | allowAstReplaceSdselectWithSdsql = false 44 | 45 | [s2s_standard_mode_unsupported_command:metadata] 46 | 47 | [s2s_standard_mode_unsupported_command:metasearch] 48 | 49 | [s2s_transparent_mode_unsupported_command:makeresults] 50 | allow_target = true 51 | 52 | [s2s_transparent_mode_unsupported_command:delete] 53 | 54 | [s2s_transparent_mode_unsupported_command:dump] 55 | 56 | [s2s_transparent_mode_unsupported_command:map] 57 | 58 | [s2s_transparent_mode_unsupported_command:run] 59 | 60 | [s2s_transparent_mode_unsupported_command:runshellscript] 61 | 62 | [s2s_transparent_mode_unsupported_command:script] 63 | 64 | [s2s_transparent_mode_unsupported_command:rest] 65 | 66 | [s2s_transparent_mode_unsupported_command:summarize] 67 | active = true 68 | rsh_min_version_cloud = 9.0.2303.100 69 | rsh_min_version_onprem = 9.1.0 70 | 71 | [s2s_transparent_mode_unsupported_command:tstats] 72 | active = true 73 | rsh_min_version_cloud = 9.0.2303.100 74 | rsh_min_version_onprem = 9.1.0 75 | 76 | [s2s_unsupported_command:show_source] 77 | rsh_min_version_cloud = 10.0.2503.100 78 | rsh_min_version_onprem = 10.0.0 79 | 80 | -------------------------------------------------------------------------------- /commands.conf: -------------------------------------------------------------------------------- 1 | # Version 10.0.2 2 | # DO NOT EDIT THIS FILE! 3 | # Changes to default files will be lost on update and are difficult to 4 | # manage and support. 5 | # 6 | # Please make any changes to system defaults by overriding them in 7 | # apps or $SPLUNK_HOME/etc/system/local 8 | # (See "Configuration file precedence" in the web documentation). 9 | # 10 | # To override a specific setting, copy the name of the stanza and 11 | # setting to the file where you wish to override it. 12 | # 13 | # This file has configuration for external search commands 14 | # 15 | 16 | ############## 17 | # defaults for all external commands, exceptions are below in individual stanzas 18 | 19 | # type of script: 'python' (default), 'perl' 20 | type = python 21 | #default filename would be .py for python, .pl for perl and otherwise 22 | 23 | # is command streamable? 24 | streaming = false 25 | # does command generate events? 26 | generating = false 27 | # if generating = true, does command generate events in descending time order 28 | generates_timeorder = false 29 | # does command retain events (e.g. sort/dedup/cluster, or does it transform them e.g. stats) 30 | retainsevents = false 31 | # require pre-streaming operations? 32 | requires_preop = false 33 | # another possible setting is streaming_preop, which is a string that denotes the requested pre-streaming search string 34 | 35 | # If set to true it will expect as input a head section + '\n' then the csv input 36 | # should be set to true if you use splunk.Intersplunk 37 | enableheader = true 38 | 39 | # If set to true, output of script should be a header section + a blank line, then the csv output 40 | outputheader = false 41 | 42 | # If set to true it will pass an auth token on the start of the input. 43 | passauth = false 44 | 45 | # maximum data that can be passed to command (0 = no limit) 46 | maxinputs = 50000 47 | 48 | # issue performance warning if more than this many events are passed in as input (0 = never) 49 | perf_warn_limit = 0 50 | 51 | # does command support dynamic probing for settings via the 52 | # first argument being invoked == __GETINFO__ or __EXECUTE__ 53 | supports_getinfo = false 54 | 55 | # allow the script to change the column order 56 | changes_colorder = true 57 | 58 | required_fields = * 59 | 60 | # should extra precautions be taken when running a command like this 61 | is_risky = false 62 | 63 | # If set to "true", splunkd passes the serialized timezone information of the user to the script 64 | # as part of the header. Requires that enableheader is set to "true" 65 | pass_timezone = false 66 | 67 | # end defaults 68 | ##################### 69 | 70 | -------------------------------------------------------------------------------- /default.meta.spec: -------------------------------------------------------------------------------- 1 | # Version 10.0.2 2 | # 3 | # 4 | # *.meta files contain ownership information, access controls, and export 5 | # settings for Splunk objects like saved searches, event types, and views. 6 | # Each app has its own default.meta file. 7 | 8 | # Interaction of ACLs across app-level, category level, and specific object 9 | # configuration: 10 | * To access/use an object, users must have read access to: 11 | * the app containing the object 12 | * the generic category within the app (for example, [views]) 13 | * the object itself 14 | * If any layer does not permit read access, the object will not be accessible. 15 | 16 | * To update/modify an object, such as to edit a saved search, users must have: 17 | * read and write access to the object 18 | * read access to the app, to locate the object 19 | * read access to the generic category within the app (for example, [savedsearches]) 20 | * If object does not permit write access to the user, the object will not be 21 | modifiable. 22 | * If any layer does not permit read access to the user, the object will not be 23 | accessible in order to modify 24 | 25 | * In order to add or remove objects from an app, users must have: 26 | * write access to the app 27 | * If users do not have write access to the app, an attempt to add or remove an 28 | object will fail. 29 | 30 | * By default, objects are only visible within the app in which they were created. 31 | To make an object available to all apps, set the object's 'export' setting to 32 | "system". 33 | * export = system 34 | 35 | * Objects that are exported to other apps, or to system context, have no change 36 | to their accessibility rules. Users must still have read access to the 37 | containing app, category, and object, despite the export. 38 | 39 | # Set access controls on the app containing this metadata file. 40 | [] 41 | access = read : [ * ], write : [ admin, power ] 42 | * Allow all users to read this app's contents. Unless overridden by other 43 | metadata, allow only admin and power users to share objects into this app. 44 | 45 | # Set access controls on this app's views. 46 | [views] 47 | access = read : [ * ], write : [ admin ] 48 | * Allow all users to read this app's views. Allow only admin users to create, 49 | remove, share, or unshare views in this app. 50 | 51 | # Set access controls on a specific view in this app. 52 | [views/index_status] 53 | access = read : [ admin ], write : [ admin ] 54 | * Allow only admin users to read or modify this view. 55 | 56 | # Make this view available in all apps. 57 | export = system 58 | * To make this view available only in this app, set 'export = none' instead. 59 | owner = admin 60 | * Set admin as the owner of this view. 61 | -------------------------------------------------------------------------------- /default-mode.conf.spec: -------------------------------------------------------------------------------- 1 | # Version 10.0.2 2 | # 3 | # This file documents the syntax of default-mode.conf for comprehension and 4 | # troubleshooting purposes. 5 | 6 | # default-mode.conf is a file that exists primarily for Splunk Support and 7 | # Services to configure the Splunk platform. 8 | 9 | # CAVEATS: 10 | 11 | # DO NOT make changes to default-mode.conf without coordinating with Splunk 12 | # Support or Services. End-user changes to default-mode.conf are not 13 | # supported. 14 | # 15 | # default-mode.conf *will* be removed in a future version of the Splunk platform, 16 | # along with the entire configuration scheme that it affects. Any settings present 17 | # in default-mode.conf files will be completely ignored at this point. 18 | # 19 | # Settings in default-mode.conf affect how pieces of code communicate. 20 | # Configuration changes in default-mode.conf might fail to work, 21 | # behave unexpectedly, or harm your deployment. Any changes must be made 22 | # only under the guidance of Splunk Support or Services staff for 23 | # use in a specific deployment of Splunk Enterprise. 24 | 25 | # INFORMATION: 26 | 27 | # The main value of this spec file is to assist in reading these files for 28 | # troubleshooting purposes. default-mode.conf was originally intended to 29 | # provide a way to describe the alternate setups used by the Splunk Light 30 | # Forwarder and Splunk Universal Forwarder. 31 | 32 | # The only reasonable action is to re-enable input pipelines that are 33 | # disabled by default in those forwarder configurations. However, keep the 34 | # prior caveats in mind. Any future means of enabling inputs will have a 35 | # different form when this mechanism is removed. 36 | 37 | # SYNTAX: 38 | 39 | [pipeline:] 40 | disabled = 41 | disabled_processors = 42 | 43 | 44 | [pipeline:] 45 | * Refers to a particular Splunkd pipeline. 46 | * The set of named pipelines is a splunk-internal design. That does not 47 | mean that the Splunk design is a secret, but it means it is not external 48 | for the purposes of configuration. 49 | * Useful information on the data processing system of splunk can be found 50 | in the external documentation, for example 51 | http://docs.splunk.com/Documentation/Splunk/latest/Deploy/Datapipeline 52 | 53 | 54 | disabled = 55 | * Whether or not the Splunk platform loads the specified pipeline. 56 | * If set to true on a specific pipeline, the pipeline will not be loaded in 57 | the system. 58 | 59 | disabled_processors = , 60 | * Processors which normally would be loaded in this pipeline are not loaded 61 | if they appear in this list. 62 | * The set of named processors is again a Splunk-internal design component. 63 | -------------------------------------------------------------------------------- /outputs.conf: -------------------------------------------------------------------------------- 1 | # Version 10.0.2 2 | # DO NOT EDIT THIS FILE! 3 | # Changes to default files will be lost on update and are difficult to 4 | # manage and support. 5 | # 6 | # Please make any changes to system defaults by overriding them in 7 | # apps or $SPLUNK_HOME/etc/system/local 8 | # (See "Configuration file precedence" in the web documentation). 9 | # 10 | # To override a specific setting, copy the name of the stanza and 11 | # setting to the file where you wish to override it. 12 | 13 | [tcpout] 14 | forwardedindex.0.whitelist = .* 15 | forwardedindex.1.blacklist = _.* 16 | forwardedindex.2.whitelist = (_audit|_internal|_introspection|_telemetry|_metrics|_metrics_rollup|_configtracker) 17 | forwardedindex.filter.disable = false 18 | indexAndForward = false 19 | blockOnCloning = true 20 | compressed = false 21 | disabled = false 22 | dropClonedEventsOnQueueFull = 5 23 | dropEventsOnQueueFull = -1 24 | heartbeatFrequency = 30 25 | maxFailuresPerInterval = 2 26 | secsInFailureInterval = 1 27 | maxConnectionsPerIndexer = 2 28 | forceTimebasedAutoLB = false 29 | sendCookedData = true 30 | connectionTimeout = 20 31 | readTimeout = 300 32 | writeTimeout = 300 33 | tcpSendBufSz = 0 34 | ackTimeoutOnShutdown = 30 35 | useACK = false 36 | blockWarnThreshold = 100 37 | sslQuietShutdown = false 38 | useClientSSLCompression = true 39 | enableOldS2SProtocol = false 40 | autoLBVolume = 0 41 | maxQueueSize = auto 42 | connectionTTL = 0 43 | autoLBFrequency = 30 44 | # The following provides modern TLS configuration that guarantees forward- 45 | # secrecy and efficiency. This configuration drops support for old Splunk 46 | # versions (Splunk 5.x and earlier). 47 | # To add support for Splunk 5.x set sslVersions to tls and add this to the 48 | # end of cipherSuite: 49 | # DHE-RSA-AES256-SHA:AES256-SHA:DHE-RSA-AES128-SHA:AES128-SHA 50 | # and this, in case Diffie Hellman is not configured: 51 | # AES256-SHA:AES128-SHA 52 | sslVersions = tls1.2 53 | cipherSuite = ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:AES256-GCM-SHA384:AES128-GCM-SHA256:AES128-SHA256:ECDH-ECDSA-AES256-GCM-SHA384:ECDH-ECDSA-AES128-GCM-SHA256:ECDH-ECDSA-AES256-SHA384:ECDH-ECDSA-AES128-SHA256 54 | ecdhCurves = prime256v1, secp384r1, secp521r1 55 | 56 | [syslog] 57 | type = udp 58 | priority = <13> 59 | maxEventSize = 1024 60 | 61 | [rfs] 62 | partitionBy = legacy 63 | batchTimeout = 30 64 | batchSizeThresholdKB = 131072 65 | dropEventsOnUploadError = false 66 | compression = zstd 67 | compressionLevel = 3 68 | format = json 69 | format.json.index_time_fields = true 70 | format.ndjson.index_time_fields = true 71 | fs.appendToFileUntilSizeMB = 2048 72 | fs.timeBeforeClosingFileSecs = 30 73 | -------------------------------------------------------------------------------- /ui-prefs.conf: -------------------------------------------------------------------------------- 1 | # Version 10.0.2 2 | # DO NOT EDIT THIS FILE! 3 | # Changes to default files will be lost on update and are difficult to 4 | # manage and support. 5 | # 6 | # Please make any changes to system defaults by overriding them in 7 | # apps or $SPLUNK_HOME/etc/system/local 8 | # (See "Configuration file precedence" in the web documentation). 9 | # 10 | # To override a specific setting, copy the name of the stanza and 11 | # setting to the file where you wish to override it. 12 | # 13 | # This file contains possible attribute/value pairs for ui preferences. 14 | # 15 | 16 | ############################################################## 17 | # default values for fields - UI needs these to build forms # 18 | ############################################################## 19 | 20 | dispatch.earliest_time = 21 | dispatch.latest_time = 22 | 23 | # Pref only options 24 | display.prefs.autoOpenSearchAssistant = 1 25 | display.prefs.timeline.height = 120px 26 | display.prefs.timeline.minimized = 0 27 | display.prefs.timeline.minimalMode = 1 28 | display.prefs.aclFilter = none 29 | display.prefs.appFilter = none 30 | display.prefs.listMode = tiles 31 | display.prefs.searchContext = search 32 | display.prefs.events.count = 20 33 | display.prefs.statistics.count = 20 34 | display.prefs.fieldCoverage = .01 35 | display.prefs.enableMetaData = 1 36 | display.prefs.showDataSummary = 1 37 | display.prefs.showSPL = 0 38 | display.prefs.customSampleRatio = 1000 39 | # count per page for listing pages 40 | countPerPage = 41 | 42 | # General options 43 | display.general.enablePreview = 1 44 | 45 | # Event options 46 | display.events.fields = ["host","source","sourcetype"] 47 | display.events.type = list 48 | display.events.rowNumbers = 0 49 | display.events.maxLines = 5 50 | display.events.raw.drilldown = full 51 | display.events.list.wrap = 1 52 | display.events.list.drilldown = full 53 | display.events.table.wrap = 1 54 | display.events.table.drilldown = 1 55 | 56 | # Statistics options 57 | display.statistics.rowNumbers = 0 58 | display.statistics.wrap = 1 59 | display.statistics.drilldown = cell 60 | 61 | # Visualization options 62 | display.visualizations.type = charting 63 | display.visualizations.custom.type = 64 | display.visualizations.chartHeight = 300 65 | display.visualizations.charting.chart = column 66 | display.visualizations.charting.chart.style = shiny 67 | display.visualizations.charting.legend.labelStyle.overflowMode = ellipsisMiddle 68 | 69 | # Patterns options 70 | display.page.search.patterns.sensitivity = 0.8 71 | 72 | # Page options 73 | display.page.search.mode = smart 74 | display.page.search.timeline.format = compact 75 | display.page.search.timeline.scale = linear 76 | display.page.search.showFields = 1 77 | display.page.home.showGettingStarted = 1 78 | display.page.search.searchHistoryTimeFilter = -90d@d 79 | display.page.search.searchHistoryCount = 20 80 | 81 | [job_manager] 82 | countPerPage = 10 83 | -------------------------------------------------------------------------------- /fields.conf: -------------------------------------------------------------------------------- 1 | # Version 10.0.2 2 | # DO NOT EDIT THIS FILE! 3 | # Changes to default files will be lost on update and are difficult to 4 | # manage and support. 5 | # 6 | # Please make any changes to system defaults by overriding them in 7 | # apps or $SPLUNK_HOME/etc/system/local 8 | # (See "Configuration file precedence" in the web documentation). 9 | # 10 | # To override a specific setting, copy the name of the stanza and 11 | # setting to the file where you wish to override it. 12 | # 13 | # This file contains possible attribute and value pairs for creating 14 | # dynamic field extractions. 15 | # 16 | 17 | TOKENIZER = 18 | INDEXED = False 19 | INDEXED_VALUE = True 20 | 21 | [source] 22 | INDEXED = True 23 | INDEXED_VALUE = False 24 | 25 | [index] 26 | INDEXED = True 27 | INDEXED_VALUE = False 28 | 29 | [sourcetype] 30 | INDEXED = True 31 | INDEXED_VALUE = False 32 | 33 | [_sourcetype] 34 | INDEXED = True 35 | INDEXED_VALUE = False 36 | 37 | [_indextime] 38 | INDEXED = True 39 | INDEXED_VALUE = False 40 | 41 | [host] 42 | INDEXED = True 43 | INDEXED_VALUE = False 44 | 45 | [linecount] 46 | INDEXED = True 47 | INDEXED_VALUE = False 48 | 49 | [punct] 50 | INDEXED = True 51 | INDEXED_VALUE = False 52 | 53 | [evtlog_id] 54 | INDEXED = True 55 | INDEXED_VALUE = False 56 | 57 | [evtlog_category] 58 | INDEXED = True 59 | INDEXED_VALUE = False 60 | 61 | [evtlog_severity] 62 | INDEXED = True 63 | INDEXED_VALUE = False 64 | 65 | [evtlog_account] 66 | INDEXED = True 67 | INDEXED_VALUE = False 68 | 69 | [evtlog_domain] 70 | INDEXED = True 71 | INDEXED_VALUE = False 72 | 73 | [evtlog_sid] 74 | INDEXED = True 75 | INDEXED_VALUE = False 76 | 77 | [evtlog_sid_type] 78 | INDEXED = True 79 | INDEXED_VALUE = False 80 | 81 | [date_year] 82 | INDEXED = True 83 | INDEXED_VALUE = False 84 | 85 | [date_month] 86 | INDEXED = True 87 | INDEXED_VALUE = False 88 | 89 | [date_mday] 90 | INDEXED = True 91 | INDEXED_VALUE = False 92 | 93 | [date_wday] 94 | INDEXED = True 95 | INDEXED_VALUE = False 96 | 97 | [date_hour] 98 | INDEXED = True 99 | INDEXED_VALUE = False 100 | 101 | [date_minute] 102 | INDEXED = True 103 | INDEXED_VALUE = False 104 | 105 | [date_second] 106 | INDEXED = True 107 | INDEXED_VALUE = False 108 | 109 | [date_zone] 110 | INDEXED = True 111 | INDEXED_VALUE = False 112 | 113 | [timeendpos] 114 | INDEXED = True 115 | INDEXED_VALUE = False 116 | 117 | [timestartpos] 118 | INDEXED = True 119 | INDEXED_VALUE = False 120 | 121 | [splunk_server] 122 | INDEXED = True 123 | INDEXED_VALUE = False 124 | 125 | [splunk_server_group] 126 | INDEXED = True 127 | INDEXED_VALUE = False 128 | 129 | [splunk_federated_provider] 130 | INDEXED = True 131 | INDEXED_VALUE = False 132 | 133 | #[To] 134 | #TOKENIZER = (\w[\w.\-]*@[\w.\-]*\w) 135 | 136 | #[From] 137 | #TOKENIZER = (\w[\w.\-]*@[\w.\-]*\w) 138 | 139 | #[Cc] 140 | #TOKENIZER = (\w[\w.\-]*@[\w.\-]*\w) 141 | 142 | [sourcetype::splunk_resource_usage::data*] 143 | INDEXED = True 144 | -------------------------------------------------------------------------------- /distsearch.conf: -------------------------------------------------------------------------------- 1 | # Version 10.0.2 2 | # DO NOT EDIT THIS FILE! 3 | # Changes to default files will be lost on update and are difficult to 4 | # manage and support. 5 | # 6 | # Please make any changes to system defaults by overriding them in 7 | # apps or $SPLUNK_HOME/etc/system/local 8 | # (See "Configuration file precedence" in the web documentation). 9 | # 10 | # To override a specific setting, copy the name of the stanza and 11 | # setting to the file where you wish to override it. 12 | 13 | [distributedSearch] 14 | disabled = false 15 | serverTimeout = 10 16 | servers = 17 | useSHPBundleReplication = true 18 | statusTimeout = 10 19 | connectionTimeout = 10 20 | sendTimeout = 30 21 | receiveTimeout = 600 22 | bestEffortSearch = false 23 | authTokenConnectionTimeout = 5 24 | authTokenSendTimeout = 10 25 | authTokenReceiveTimeout = 10 26 | useIPAddrAsHost = true 27 | defaultUriScheme = https 28 | bcsPath = /bcs/v1/buckets 29 | parallelReduceBackwardCompatibility = enterprise 30 | searchableIndexMapping = enabled 31 | 32 | [tokenExchKeys] 33 | certDir = $SPLUNK_HOME/etc/auth/distServerKeys 34 | publicKey = trusted.pem 35 | privateKey = private.pem 36 | genKeyScript = $SPLUNK_HOME/bin/splunk, createssl, audit-keys 37 | 38 | [replicationSettings] 39 | replicationPolicy = classic 40 | connectionTimeout = 60 41 | sendRcvTimeout = 60 42 | replicationThreads = auto 43 | maxBundleSize = 2048 44 | warnMaxBundleSizePerc = 75 45 | concerningReplicatedFileSize = 500 46 | excludeReplicatedLookupSize = 0 47 | allowDeltaUpload = true 48 | preCompressKnowledgeBundlesClassicMode = true 49 | preCompressKnowledgeBundlesCascadeMode = false 50 | sanitizeMetaFiles = true 51 | cascade_replication_status_interval = 60s 52 | cascade_replication_status_unchanged_threshold = 5 53 | cascade_plan_replication_retry_fast = true 54 | cascade_plan_replication_threshold_failures = 0 55 | statusQueueSize = 5 56 | allowDeltaIndexing = true 57 | 58 | [replicationSettings:refineConf] 59 | # Replicate these specific *.conf files and their associated *.meta stanzas. 60 | replicate.app = true 61 | replicate.authorize = true 62 | replicate.collections = true 63 | replicate.commands = true 64 | replicate.eventtypes = true 65 | replicate.fields = true 66 | replicate.field_filters = true 67 | replicate.segmenters = true 68 | replicate.literals = true 69 | replicate.lookups = true 70 | replicate.macros = true 71 | replicate.multikv = true 72 | replicate.props = true 73 | replicate.tags = true 74 | replicate.transforms = true 75 | replicate.transactiontypes = true 76 | 77 | [replicationAllowlist] 78 | refine.conf = (system|(apps/*)|users(/_reserved)?/*/*)/(default|local)/*.conf 79 | refine.metadata = (system|(apps/*)|users(/_reserved)?/*/*)/metadata/*.meta 80 | other = (system|(apps/(?!pdfserver)*)|users(/_reserved)?/*/*)/(bin|lookups)/... 81 | kvstore = kvstore_*/... 82 | 83 | [replicationDenylist] 84 | lookupindexfiles = (system|apps/*|users(/_reserved)?/*/*)/lookups/*.(tmp$|index((|.alive|.lock)$|/...)) 85 | sampleapp = apps/sample_app/... 86 | # Protect against overly-broad conf allowlists. 87 | conf = (system|(apps/*))/(default|local)/server.conf 88 | # Search processes do not use anything contained in user-specific *.meta files. 89 | user_specific_meta = users(/_reserved)?/*/*/metadata/local.meta 90 | framework = apps/framework/... 91 | precompiled_python = ....pyc$ 92 | splunkvisualexporter = apps/splunk-visual-exporter/... 93 | 94 | 95 | [bundleEnforcerAllowlist] 96 | 97 | 98 | [bundleEnforcerDenylist] 99 | -------------------------------------------------------------------------------- /eventtypes.conf.spec: -------------------------------------------------------------------------------- 1 | # Version 10.0.2 2 | # 3 | # This file contains descriptions of the settings that you can use to 4 | # configure event types and their properties. 5 | # 6 | # Each stanza controls different settings. 7 | # 8 | # There is an eventtypes.conf file in the $SPLUNK_HOME/etc/system/default/ directory. 9 | # Never change or copy the configuration files in the default directory. 10 | # The files in the default directory must remain intact and in their original 11 | # location. 12 | # 13 | # To set custom configurations, create a new file with the name eventtypes.conf in 14 | # the $SPLUNK_HOME/etc/system/local/ directory. Then add the specific settings 15 | # that you want to customize to the local configuration file. 16 | # For examples, see eventtypes.conf.example. 17 | # 18 | # Any event types that you create through Splunk Web are automatically added to 19 | # the user's $SPLUNK_HOME/etc/users/$user/$app/local/eventtypes.conf file. 20 | # 21 | # To learn more about configuration files (including precedence) please see 22 | # the documentation located at 23 | # http://docs.splunk.com/Documentation/Splunk/latest/Admin/Aboutconfigurationfiles 24 | 25 | # GLOBAL SETTINGS 26 | # Use the [default] stanza to define any global settings. 27 | # * You can also define global settings outside of any stanza, at the top 28 | # of the file. 29 | # * Each conf file should have at most one default stanza. If there are 30 | # multiple default stanzas, attributes are combined. In the case of 31 | # multiple definitions of the same attribute, the last definition in the 32 | # file wins. 33 | # * If an attribute is defined at both the global level and in a specific 34 | # stanza, the value in the specific stanza takes precedence. 35 | 36 | [<$EVENTTYPE>] 37 | * Header for the event type 38 | * $EVENTTYPE is the name of your event type. 39 | * You can have any number of event types, each represented by a stanza and 40 | any number of the following attribute/value pairs. 41 | * NOTE: If the name of the event type includes field names surrounded by the 42 | percent character (for example "%$FIELD%") then the value of $FIELD is 43 | substituted into the event type name for that event. For example, an 44 | event type with the header [cisco-%code%] that has "code=432" becomes 45 | labeled "cisco-432". 46 | 47 | disabled = [1|0] 48 | * Toggle event type on or off. 49 | * Set to 1 to disable. 50 | 51 | search = 52 | * Search terms for this event type. 53 | * For example: error OR warn. 54 | * NOTE: You cannot base an event type on: 55 | * A search that includes a pipe operator (a "|" character). 56 | * A subsearch (a search pipeline enclosed in square brackets). 57 | * A search referencing a report. This is a best practice. Any report that is referenced by an 58 | event type can later be updated in a way that makes it invalid as an event type. For example, 59 | a report that is updated to include transforming commands cannot be used as the definition for 60 | an event type. You have more control over your event type if you define it with the same search 61 | string as the report. 62 | 63 | priority = 64 | * Value used to determine the order in which the matching eventtypes of an 65 | event are displayed. 66 | * 1 is the highest priority and 10 is the lowest priority. 67 | 68 | description = 69 | * Optional human-readable description of this saved search. 70 | 71 | tags = 72 | * DEPRECATED - see tags.conf.spec 73 | 74 | color = 75 | * color for this event type. 76 | * Supported colors: none, et_blue, et_green, et_magenta, et_orange, 77 | et_purple, et_red, et_sky, et_teal, et_yellow 78 | 79 | -------------------------------------------------------------------------------- /macros.conf.spec: -------------------------------------------------------------------------------- 1 | # Version 10.0.2 2 | # 3 | ############################################################################ 4 | # OVERVIEW 5 | ############################################################################ 6 | # This file contains descriptions of the settings that you can use for 7 | # for search language macros. 8 | # 9 | # There is a macros.conf file in the $SPLUNK_HOME/etc/system/default/ directory. 10 | # Never change or copy the configuration files in the default directory. 11 | # The files in the default directory must remain intact and in their original 12 | # location. 13 | # 14 | # To set custom configurations, create a new file with the name macros.conf in 15 | # the $SPLUNK_HOME/etc/system/local/ directory. Then add the specific settings 16 | # that you want to customize to the local configuration file. 17 | # For examples, see macros.conf.example. You must restart the Splunk instance 18 | # to enable configuration changes. 19 | # 20 | # To learn more about configuration files (including file precedence) see the 21 | # documentation located at 22 | # http://docs.splunk.com/Documentation/Splunk/latest/Admin/Aboutconfigurationfiles 23 | 24 | [] 25 | * Each stanza represents a search macro that can be referenced in any search. 26 | * The stanza name is the name of the macro if the macro takes no arguments. 27 | Otherwise, the stanza name is the macro name appended with "()", 28 | where is the number of arguments that this macro takes. 29 | * Macros can be overloaded, which means they can have the same name but a 30 | different number of arguments. If you have these stanzas - [foobar], [foobar(1)], 31 | [foobar(2)], and so forth - they are not the same macro. 32 | * You can specify settings with a macro, which are described below. 33 | The settings are: 34 | * A set of macro arguments (args) 35 | * A definition string with argument substitutions 36 | * A validation string, with or without an error message 37 | * A setting that identifies if the defintion is an eval expression 38 | * A description for the macro 39 | * Macros can be used in the search language by enclosing the macro name and any 40 | argument list in backtick marks. For example:`foobar(arg1,arg2)` or `footer`. 41 | * The Splunk platform does not expand macros when they are inside quoted values, for 42 | example: "foo`bar`baz" 43 | 44 | args = ,,... 45 | * A comma-separated list of argument names. 46 | * Argument names can only contain alphanumeric characters, underscores ( _ ), and 47 | hyphens ( - ). 48 | * If the stanza name indicates that this macro takes no arguments, this 49 | setting is ignored. 50 | * This list cannot contain any repeated elements. 51 | 52 | definition = 53 | * The string that the macro will expand to, with the argument substitutions 54 | made. The exception is when "iseval = true", see below. 55 | * Arguments to be substituted must begin and end with a dollar sign ($). For example: 56 | "The last part of this string will be replaced by the value of argument foo $foo$". 57 | * The Splunk platform replaces the $$ pattern globally in the string, even 58 | inside quotation marks. 59 | 60 | validation = 61 | * A validation string that is an 'eval' expression. This expression must 62 | evaluate to a Boolean or a string. 63 | * Use this setting to verify that the macro's argument values are acceptable. 64 | * If the validation expression is Boolean, validation succeeds when it returns 65 | "true". If it returns "false" or is NULL, validation fails and the Splunk platform 66 | returns the error message defined by the 'errormsg' setting. 67 | * If the validation expression is not Boolean, the Splunk platform expects it to 68 | return a string or NULL. If it returns NULL, validation is considered a success. 69 | Otherwise, the string returned is the error message. 70 | 71 | errormsg = 72 | * The error message displayed if the 'validation' setting is a Boolean expression and 73 | the expression does not evaluate to "true". 74 | 75 | iseval = true|false 76 | * If set to "true", the 'definition' setting is expected to be an eval expression that 77 | returns a string representing the expansion of this macro. 78 | * Default: false. 79 | 80 | description = 81 | * OPTIONAL. A simple description of what the macro does. 82 | -------------------------------------------------------------------------------- /collections.conf.spec: -------------------------------------------------------------------------------- 1 | # Version 10.0.2 2 | # 3 | # This file configures the KV Store collections for a given app in Splunk. 4 | # 5 | # To learn more about configuration files (including precedence) please see 6 | # the documentation located at 7 | # http://docs.splunk.com/Documentation/Splunk/latest/Admin/Aboutconfigurationfiles 8 | 9 | 10 | [] 11 | 12 | enforceTypes = 13 | * Indicates whether to enforce data types when inserting data into the 14 | collection. 15 | * When set to true, invalid insert operations fail. 16 | * When set to false, invalid insert operations drop only the invalid field. 17 | * Default: false 18 | 19 | field. = number|bool|string|time 20 | * Field type for a field called . 21 | * If the data type is not provided, the data type is inferred from the provided JSON 22 | data type. 23 | 24 | accelerated_fields. = 25 | * Acceleration definition for an acceleration called . 26 | * Must be a valid JSON document. Invalid JSON is ignored. 27 | * Example: 'acceleration.foo={"a":1, "b":-1}' is a compound acceleration 28 | that first sorts 'a' in ascending order and then 'b' in descending order. 29 | * There are restrictions in compound acceleration. A compound acceleration 30 | must not have more than one field in an array. If it does, KV store does 31 | not start or work correctly. 32 | * Duplicating fields in KV store acceleration definitions might cause KV store to fail. 33 | * If multiple accelerations with the same definition are in the same 34 | collection, the duplicates are skipped. 35 | * If the data within a field is too large for acceleration, you see a 36 | warning when you try to create an accelerated field and the acceleration 37 | is not created. 38 | * An acceleration is always created on the _key. 39 | * The order of accelerations is important. For example, an acceleration of 40 | { "a":1, "b":1 } speeds queries on "a" and "a" + "b", but not on "b" 41 | alone. 42 | * Multiple separate accelerations also speed up queries. For example, 43 | separate accelerations { "a": 1 } and { "b": 1 } speed up queries on 44 | "a" + "b", but not as well as a combined acceleration { "a":1, "b":1 }. 45 | * Default: nothing (no acceleration) 46 | 47 | profilingEnabled = 48 | * Indicates whether to enable logging of slow-running operations, as defined 49 | in 'profilingThresholdMs'. 50 | * Default: false 51 | 52 | profilingThresholdMs = 53 | * The threshold for logging a slow-running operation, in milliseconds. 54 | * When set to 0, all operations are logged. 55 | * This setting is used only when 'profilingEnabled' is "true". 56 | * This setting affects the performance of the collection. 57 | * Default: 1000 58 | 59 | replicate = 60 | * Indicates whether to replicate this collection on indexers. When false, 61 | this collection is not replicated on indexers, and lookups that depend on 62 | this collection are not available (although if you run a lookup command 63 | with 'local=true', local lookups are available). When true, 64 | this collection is replicated on indexers. 65 | * Default: false 66 | 67 | replication_dump_strategy = one_file|auto 68 | * Indicates how to store dump files. When set to one_file, dump files are 69 | stored in a single file. When set to auto, dump files are stored in 70 | multiple files when the size of the collection exceeds the value of 71 | 'replication_dump_maximum_file_size'. 72 | * Default: auto 73 | 74 | replication_dump_maximum_file_size = 75 | * Specifies the maximum file size (in KB) for each dump file when 76 | 'replication_dump_strategy=auto'. 77 | * If this value is larger than the value of 'concerningReplicatedFileSize' 78 | in distsearch.conf, the value of 'concerningReplicatedFileSize' is 79 | used instead. 80 | * KV Store does not pre-calculate the size of the records to be written 81 | to disk, so the size of the resulting files can be affected by the 82 | 'max_rows_in_memory_per_dump' setting from limits.conf. 83 | * Default: 10240 84 | 85 | type = internal_cache|undefined 86 | * For internal use only. 87 | * Indicates the type of data that this collection holds. 88 | * When set to internal_cache, changing the configuration of the current 89 | instance between search head cluster, search head pool, or standalone 90 | erases the data in the collection. 91 | * Default: undefined 92 | -------------------------------------------------------------------------------- /times.conf: -------------------------------------------------------------------------------- 1 | # Version 10.0.2 2 | [default] 3 | label = default times.conf label 4 | 5 | # 6 | # continuous range, current 7 | # 8 | 9 | [last_15_mins] 10 | label = Last 15 minutes 11 | header_label = in the last 15 minutes 12 | earliest_time = -15m 13 | latest_time = now 14 | order = 10 15 | 16 | [last_60_mins] 17 | label = Last 60 minutes 18 | header_label = in the last 60 minutes 19 | earliest_time = -60m@m 20 | latest_time = now 21 | order = 20 22 | 23 | [last_4_hours] 24 | label = Last 4 hours 25 | header_label = in the last 4 hours 26 | earliest_time = -4h@m 27 | latest_time = now 28 | order = 30 29 | 30 | [last_24_hours] 31 | label = Last 24 hours 32 | header_label = in the last 24 hours 33 | earliest_time = -24h@h 34 | latest_time = now 35 | order = 40 36 | 37 | [last_7_days] 38 | label = Last 7 days 39 | header_label = in the last 7 days 40 | earliest_time = -7d@h 41 | latest_time = now 42 | order = 50 43 | 44 | [last_30_days] 45 | label = Last 30 days 46 | header_label = in the last 30 days 47 | earliest_time = -30d@d 48 | latest_time = now 49 | order = 60 50 | 51 | # 52 | # snapped range, current 53 | # 54 | 55 | [today] 56 | label = Today 57 | earliest_time = @d 58 | latest_time = now 59 | order = 100 60 | 61 | [week_to_date] 62 | label = Week to date 63 | header_label = this week to date 64 | earliest_time = @w0 65 | latest_time = now 66 | order = 110 67 | 68 | # starts from the previous monday @ midnight to now 69 | [business_week_to_date] 70 | label = Business week to date 71 | header_label = this business week to date 72 | earliest_time = @w1 73 | latest_time = now 74 | order = 120 75 | 76 | [month_to_date] 77 | label = Month to date 78 | header_label = this month to date 79 | earliest_time = @mon 80 | latest_time = now 81 | order = 130 82 | 83 | [year_to_date] 84 | label = Year to date 85 | header_label = this year to date 86 | earliest_time = @y 87 | latest_time = now 88 | order = 140 89 | 90 | 91 | # 92 | # snapped range, previous 93 | # 94 | 95 | [yesterday] 96 | label = Yesterday 97 | earliest_time = -1d@d 98 | latest_time = @d 99 | order = 200 100 | 101 | [previous_week] 102 | label = Previous week 103 | header_label = in the previous week 104 | earliest_time = -7d@w0 105 | latest_time = @w0 106 | order = 210 107 | 108 | # If you run a search with this time range on a Sunday, the earliest time value 109 | # will be the most recent Monday. If you run this time range on a Saturday, 110 | # however, the earliest time will be two Mondays ago. 111 | [previous_business_week] 112 | label = Previous business week 113 | header_label = in the previous business week 114 | earliest_time = -6d@w1 115 | latest_time = -1d@w6 116 | order = 220 117 | 118 | [previous_month] 119 | label = Previous month 120 | header_label = in the previous month 121 | earliest_time = -1mon@mon 122 | latest_time = @mon 123 | order = 230 124 | 125 | [previous_year] 126 | label = Previous year 127 | header_label = in the previous year 128 | earliest_time = -1y@y 129 | latest_time = @y 130 | order = 240 131 | 132 | # 133 | # Real time 134 | # 135 | [real_time_last30s] 136 | label = 30 second window 137 | header_label = in a 30 second window (real-time) 138 | earliest_time = rt-30s 139 | latest_time = rt 140 | order = 100 141 | 142 | [real_time_last1m] 143 | label = 1 minute window 144 | header_label = in a 1 minute window (real-time) 145 | earliest_time = rt-1m 146 | latest_time = rt 147 | order = 110 148 | 149 | [real_time_last5m] 150 | label = 5 minute window 151 | header_label = in a 5 minute window (real-time) 152 | earliest_time = rt-5m 153 | latest_time = rt 154 | order = 120 155 | 156 | [real_time_last30m] 157 | label = 30 minute window 158 | header_label = in a 30 minute window (real-time) 159 | earliest_time = rt-30m 160 | latest_time = rt 161 | order = 130 162 | 163 | [real_time_last1h] 164 | label = 1 hour window 165 | header_label = in a 1 hour window (real-time) 166 | earliest_time = rt-1h 167 | latest_time = rt 168 | order = 140 169 | 170 | [real_time_all] 171 | label = All time (real-time) 172 | header_label = in total (real-time) 173 | earliest_time = rt 174 | latest_time = rt 175 | order = 200 176 | 177 | 178 | # 179 | # All time 180 | # 181 | 182 | [all_time] 183 | label = All time 184 | header_label = over all time 185 | earliest_time = 0 186 | order = 500 187 | 188 | [settings] 189 | show_advanced = true 190 | show_date_range = true 191 | show_datetime_range = true 192 | show_presets = true 193 | show_realtime = true 194 | show_relative = true 195 | -------------------------------------------------------------------------------- /inputs.conf: -------------------------------------------------------------------------------- 1 | # Version 10.0.2 2 | # DO NOT EDIT THIS FILE! 3 | # Changes to default files will be lost on update and are difficult to 4 | # manage and support. 5 | # 6 | # Please make any changes to system defaults by overriding them in 7 | # apps or $SPLUNK_HOME/etc/system/local 8 | # (See "Configuration file precedence" in the web documentation). 9 | # 10 | # To override a specific setting, copy the name of the stanza and 11 | # setting to the file where you wish to override it. 12 | # 13 | # This file contains possible attributes and values you can use to 14 | # configure inputs, distributed inputs and file system monitoring. 15 | 16 | 17 | [default] 18 | index = default 19 | _rcvbuf = 1572864 20 | host = $decideOnStartup 21 | 22 | [blacklist:$SPLUNK_HOME/etc/auth] 23 | 24 | [blacklist:$SPLUNK_HOME/etc/passwd] 25 | 26 | [monitor://$SPLUNK_HOME/var/log/splunk] 27 | index = _internal 28 | 29 | [monitor://$SPLUNK_HOME/var/log/watchdog/watchdog.log*] 30 | index = _internal 31 | 32 | [monitor://$SPLUNK_HOME/var/log/splunk/license_usage_summary.log*] 33 | index = _telemetry 34 | 35 | [monitor://$SPLUNK_HOME/var/log/splunk/splunk_instrumentation_cloud.log*] 36 | index = _telemetry 37 | sourcetype = splunk_cloud_telemetry 38 | 39 | [monitor://$SPLUNK_HOME/etc/splunk.version] 40 | _TCP_ROUTING = * 41 | index = _internal 42 | sourcetype=splunk_version 43 | 44 | [monitor://$SPLUNK_HOME/var/log/splunk/configuration_change.log] 45 | index = _configtracker 46 | 47 | [batch://$SPLUNK_HOME/var/run/splunk/search_telemetry/*search_telemetry.json] 48 | move_policy = sinkhole 49 | index = _introspection 50 | sourcetype = search_telemetry 51 | crcSalt = 52 | log_on_completion = 0 53 | 54 | [batch://$SPLUNK_HOME/var/spool/splunk] 55 | move_policy = sinkhole 56 | crcSalt = 57 | 58 | [batch://$SPLUNK_HOME/var/spool/splunk/tracker.log*] 59 | index = _internal 60 | sourcetype = splunkd_latency_tracker 61 | move_policy = sinkhole 62 | 63 | [batch://$SPLUNK_HOME/var/spool/splunk/...stash_new] 64 | queue = stashparsing 65 | sourcetype = stash_new 66 | move_policy = sinkhole 67 | crcSalt = 68 | time_before_close = 0 69 | 70 | [batch://$SPLUNK_HOME/var/spool/splunk/...stash_hec] 71 | sourcetype = stash_hec 72 | move_policy = sinkhole 73 | crcSalt = 74 | 75 | [fschange:$SPLUNK_HOME/var/lib/splunk/modinputs] 76 | disabled=1 77 | index=_internal 78 | sourcetype=modinputs_checkpoint_notification 79 | # poll every day 80 | pollPeriod=86400 81 | signedaudit=false 82 | recurse=true 83 | followLinks=false 84 | hashMaxSize=-1 85 | fullEvent=false 86 | sendEventMaxSize=-1 87 | # batch of 500 events(500 files) 88 | filesPerDelay=500 89 | # 1 second delay between two batches 90 | delayInMills=1000 91 | 92 | 93 | [fschange:$SPLUNK_HOME/etc] 94 | disabled = false 95 | #poll every 10 minutes 96 | pollPeriod = 600 97 | #generate audit events into the audit index, instead of fschange events 98 | signedaudit=true 99 | recurse=true 100 | followLinks=false 101 | hashMaxSize=-1 102 | fullEvent=false 103 | sendEventMaxSize=-1 104 | filesPerDelay = 10 105 | delayInMills = 100 106 | 107 | [udp] 108 | connection_host=ip 109 | 110 | [tcp] 111 | acceptFrom=* 112 | connection_host=dns 113 | 114 | [splunktcp] 115 | route=has_key:_replicationBucketUUID:replicationQueue;has_key:_dstrx:typingQueue;has_key:_linebreaker:rulesetQueue;absent_key:_linebreaker:parsingQueue 116 | acceptFrom=* 117 | connection_host=ip 118 | 119 | logRetireOldS2S = true 120 | logRetireOldS2SRepeatFrequency = 1d 121 | logRetireOldS2SMaxCache = 10000 122 | 123 | [script] 124 | interval = 60.0 125 | start_by_shell = true 126 | 127 | [SSL] 128 | # SSL settings 129 | # The following provides modern TLS configuration that guarantees forward- 130 | # secrecy and efficiency. This configuration drops support for old Splunk 131 | # versions (Splunk 5.x and earlier). 132 | # To add support for Splunk 5.x set sslVersions to tls and add this to the 133 | # end of cipherSuite: 134 | # DHE-RSA-AES256-SHA:AES256-SHA:DHE-RSA-AES128-SHA:AES128-SHA 135 | # and this, in case Diffie Hellman is not configured: 136 | # AES256-SHA:AES128-SHA 137 | 138 | sslVersions = tls1.2 139 | cipherSuite = ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256 140 | ecdhCurves = prime256v1, secp384r1, secp521r1 141 | 142 | allowSslRenegotiation = true 143 | sslQuietShutdown = false 144 | logCertificateData = true 145 | certLogMaxCacheEntries = 10000 146 | certLogRepeatFrequency = 1d 147 | 148 | -------------------------------------------------------------------------------- /eventdiscoverer.conf: -------------------------------------------------------------------------------- 1 | # Version 10.0.2 2 | # DO NOT EDIT THIS FILE! 3 | # Changes to default files will be lost on update and are difficult to 4 | # manage and support. 5 | # 6 | # Please make any changes to system defaults by overriding them in 7 | # apps or $SPLUNK_HOME/etc/system/local 8 | # (See "Configuration file precedence" in the web documentation). 9 | # 10 | # To override a specific setting, copy the name of the stanza and 11 | # setting to the file where you wish to override it. 12 | # 13 | # This file configures event discovery through the search command 14 | # "typelearner." 15 | # 16 | 17 | ignored_keywords = sun, mon, tue, tues, wed, thu, thurs, fri, sat, sunday, monday, tuesday, wednesday, thursday, friday, saturday, jan, feb, mar, apr, may, jun, jul, aug, sep, oct, nov, dec, january, february, march, april, may, june, july, august, september, october, november, december, 2003, 2004, 2005, 2006, am, pm, ut, utc, gmt, cet, cest, cetdst, met, mest, metdst, mez, mesz, eet, eest, eetdst, wet, west, wetdst, msk, msd, ist, jst, kst, hkt, ast, adt, est, edt, cst, cdt, mst, mdt, pst, pdt, cast, cadt, east, eadt, wast, wadt, about, after, again, against, all, almost, already, also, although, always, among, an, and, any, anyone, are, as, at, away, be, became, because, become, becomes, been, before, being, between, both, but, by, came, could, does, during, each, either, else, ever, every, following, for, from, further, gave, gets, give, given, giving, gone, got, had, has, have, having, here, how, however, if, in, into, is, it, itself, just, keep, kept, like, made, make, many, might, more, most, much, must, neither, nor, noted, now, of, often, on, only, or, other, our, out, owing, perhaps, please, quite, rather, really, regarding, said, same, seem, seen, several, shall, should, show, showed, shown, shows, similar, since, so, some, sometime, somewhat, soon, such, than, that, the, their, theirs, them, then, there, therefore, these, they, this, those, though, through, throughout, to, too, toward, under, unless, until, upon, use, used, usefulness, using, various, very, was, we, were, what, when, where, whether, which, while, who, whose, why, will, with, within, without, would, yet, net, org, com, edu, co 18 | 19 | ignored_fields = daysago, enddaysago, endhoursago, endminutesago, endmonthsago, endtime, endtimeeu, hoursago, minutesago, monthsago, searchtimespandays, searchtimespanhours, searchtimespanminutes, searchtimespanmonths, startdaysago, starthoursago, startminutesago, startmonthsago, starttime, starttimeeu, timeformat, maxresults, readlevel, readlimit, related, date_year, date_month, date_mday, date_wday, date_hour, date_minute, date_second, date_zone 20 | 21 | important_keywords = abort, abstract, accept, access, account, acl, activ, add, address, admin, age, agent, aix, alarm, alert, algorithm, allow, anon, answer, apache, api, app, asp, auth, auto, avg, bea, begin, bgroup, bin, block, bridge, browse, buffer, build, busy, bye, byte, cache, calc, cancel, cannot, caught, caused, cert, cgi, channel, check, child, class, client, clos, code, set, command, common, complet, component, config, connect, content, control, cookie, couldn, count, cpu, creat, crond, current, custom, data, date, db, debug, default, defer, delet, den, deploy, detect, dhcp, dial, didn, dir, dis, doc, done, element, enabl, end, engine, enter, err, escalat, estimat, except, exec, exit, express, ext, fail, fatal, feed, field, file, finish, flag, flush, function, get, group, halt, handl, hang, head, heap, history, home, host, http, ignor, iis, index, info, init, inner, insert, inside, inst, intern, invit, ip, isolate, java, jdbc, jini, jmx, jndi, jni, join, kernel, key, lang, last, ldap, left, level, library, licens, limit, listen, load, locat, lock, log, manag, maps, max, memory, message, meta, method, min, mod, mode, model, monitor, mozilla, mysqld, name, nameserverimp, nest, no, note, notice, ntauthenticationproviders, null, number, object, ok, open, operat, opportunit, option, oracle, orb, order, pam, parse, password, peer, php, physical, pid, pipeline, pool, port, ports, post, power, ppid, pri, process, product, program, public, put, pwd, query, queu, quit, read, receiv, recover, recv, refer, reflect, regist, reject, remov, replac, reply, request, result, rmi, root, run, schedul, script, search, secur, select, send, sent, serial, servic, serv, set, sever, signa, signa, single, sip, size, smtp, snmpd, soap, source, space, specif, sql, ssh, ssi, ssl, stack, stage, stale, start, statist, status, stop, stor, subject, success, support, swap, sys, table, task, tcp, test, text, themes, thread, time, timeout, tmp, top, total, trace, trade, transaction, tri, try, type, unable, unknown, update, uri, url, user, util, valid, value, var, verbose, version, virtual, wait, warn, watch, web, work, workstation, writ, write, xar, xml 22 | -------------------------------------------------------------------------------- /app.conf: -------------------------------------------------------------------------------- 1 | # Version 10.0.2 2 | 3 | [triggers] 4 | reload.alert_actions = simple 5 | reload.alerts = simple 6 | reload.app = simple 7 | reload.authentication = access_endpoints /authentication/providers/services 8 | reload.authorize = access_endpoints /authentication/providers/services 9 | reload.collections = access_endpoints /storage/collections/config 10 | reload.commands = simple 11 | reload.datamodels = simple 12 | reload.distsearch = access_endpoints /search/distributed/bundle-replication-files, /search/distributed/peers 13 | reload.event_renderers = simple 14 | reload.eventtypes = simple 15 | reload.fields = simple 16 | reload.field_filters = simple 17 | reload.health = access_endpoints /server/health-config 18 | reload.history = simple 19 | reload.html = simple 20 | reload.indexes = access_endpoints /data/indexes 21 | reload.limits = access_endpoints /server/status/limits/general 22 | reload.lookups = simple 23 | reload.macros = simple 24 | reload.manager = simple 25 | reload.metric_rollups = access_endpoints /catalog/metricstore/rollup 26 | reload.metric_alerts = access_endpoints /alerts/metric_alerts 27 | reload.messages = access_endpoints /admin/messages-conf 28 | reload.models = simple 29 | reload.multikv = simple 30 | reload.nav = simple 31 | reload.outputs = access_endpoints /data/outputs/tcp/server, /data/ingest/rfsdestinations 32 | reload.panels = simple 33 | reload.passwords = simple 34 | reload.props = access_endpoints /admin/transforms-reload, /admin/metrics-reload, /admin/metric-schema-reload 35 | reload.restmap = rest_endpoints 36 | reload.savedsearches = access_endpoints /saved/searches 37 | reload.searchbnf = simple 38 | reload.searchscripts = simple 39 | reload.server = http_post /replication/configuration/whitelist-reload, /config_tracker/config/_reload, /s3client/_reload 40 | reload.tags = simple 41 | reload.telemetry = simple 42 | reload.times = simple 43 | reload.transforms = access_endpoints /admin/transforms-reload, /admin/metrics-reload, /admin/metric-schema-reload 44 | reload.ui-prefs = simple 45 | reload.ui-tour = simple 46 | reload.views = simple 47 | reload.viewstates = simple 48 | reload.visualizations = simple 49 | reload.web = http_post /server/control/restart_webui_polite 50 | reload.workflow_actions = simple 51 | reload.workload_pools = access_endpoints /workloads/config 52 | reload.workload_rules = access_endpoints /workloads/config 53 | reload.workload_policy = access_endpoints /workloads/policy 54 | # Data inputs 55 | reload.inputs = access_endpoints /data/inputs/monitor, /data/inputs/script, /data/inputs/udp, /data/inputs/tcp/raw, /data/inputs/tcp/cooked, /data/inputs/http 56 | reload.wmi = simple 57 | # stanza-level reload triggers for inputs.conf 58 | reload.inputs.monitor = access_endpoints /data/inputs/monitor 59 | reload.inputs.batch = access_endpoints /data/inputs/monitor 60 | reload.inputs.script = access_endpoints /data/inputs/script 61 | reload.inputs.http = access_endpoints /data/inputs/http 62 | reload.inputs.udp = access_endpoints /data/inputs/udp 63 | reload.inputs.cloud_processor = access_endpoints /remote/cloud-processor/input/config 64 | 65 | # stanza-level reload triggers for outputs.conf 66 | reload.outputs.http = never 67 | reload.outputs.indexAndForward = never 68 | reload.outputs.indexer_discovery = never 69 | reload.outputs.remote_queue = never 70 | reload.outputs.rfs = access_endpoints /data/ingest/rfsdestinations 71 | reload.outputs.syslog = never 72 | reload.outputs.tcpout = access_endpoints /data/outputs/tcp/server 73 | reload.outputs.cloud_processor = access_endpoints /remote/cloud-processor/output/config 74 | 75 | 76 | # stanza-level reload triggers for server.conf 77 | reload.server.disaster_recovery_settings = access_endpoints /xrdr/config 78 | reload.server.noahService = access_endpoints /noah/config 79 | reload.server.noahClient = access_endpoints /noah/config 80 | reload.server.hot_bucket_streaming = access_endpoints /remote/queue/input/config 81 | reload.server.localProxy = access_endpoints /local_proxy/config 82 | reload.server.postgres = simple 83 | 84 | [ui] 85 | show_in_nav = true 86 | 87 | [shclustering] 88 | deployer_push_mode = merge_to_default 89 | deployer_lookups_push_mode = always_preserve 90 | -------------------------------------------------------------------------------- /times.conf.spec: -------------------------------------------------------------------------------- 1 | # Version 10.0.2 2 | # 3 | ############################################################################ 4 | # OVERVIEW 5 | ############################################################################ 6 | # This file contains possible attribute/value pairs for creating custom time 7 | # ranges. 8 | # 9 | # Each stanza controls different search commands settings. 10 | # 11 | # There is a times.conf file in the $SPLUNK_HOME/etc/system/default/ directory. 12 | # Never change or copy the configuration files in the default directory. 13 | # The files in the default directory must remain intact and in their original 14 | # location. 15 | # 16 | # To set custom configurations, create a new file with the name times.conf in 17 | # the $SPLUNK_HOME/etc/system/local/ directory. Then add the specific settings 18 | # that you want to customize to the local configuration file. 19 | # For examples, see times.conf.example. 20 | # You must restart the Splunk instance to enable configuration changes. 21 | # 22 | # To learn more about configuration files (including file precedence) see the 23 | # documentation located at 24 | # http://docs.splunk.com/Documentation/Splunk/latest/Admin/Aboutconfigurationfiles 25 | # 26 | ############################################################################ 27 | # GLOBAL SETTINGS 28 | ############################################################################ 29 | # Use the [default] stanza to define any global settings. 30 | # * You can also define global settings outside of any stanza, at the top 31 | # of the file. 32 | # * Each conf file should have at most one default stanza. If there are 33 | # multiple default stanzas, attributes are combined. In the case of 34 | # multiple definitions of the same attribute, the last definition in the 35 | # file wins. 36 | # * If an attribute is defined at both the global level and in a specific 37 | # stanza, the value in the specific stanza takes precedence. 38 | 39 | 40 | [] 41 | * The token to use when accessing time ranges through the API or command line. 42 | * A times.conf file can contain multiple stanzas. 43 | 44 | label = 45 | * The textual description used by the UI to reference this time range. 46 | * Required 47 | 48 | header_label = 49 | * The textual description used by the UI when displaying search results in 50 | this time range. 51 | * Optional. 52 | * Default: The 53 | 54 | earliest_time = 55 | * The string that represents the time of the earliest event to return, 56 | inclusive. 57 | * The time can be expressed with a relative time identifier or in UNIX time. 58 | * Optional. 59 | * No default (No earliest time bound is used) 60 | 61 | latest_time = 62 | * The string that represents the time of the earliest event to return, 63 | inclusive. 64 | * The time can be expressed with a relative time identifier or in UNIX 65 | time. 66 | * Optional. 67 | * NOTE: events that occur in the future (relative to the server timezone) 68 | might be returned. 69 | * No default (No latest time bound is used) 70 | 71 | order = 72 | * The key on which all custom time ranges are sorted, ascending. 73 | * The default time range selector in the UI will merge and sort all time 74 | ranges according to the 'order' key, and then alphabetically. 75 | * Optional. 76 | * Default: 0 77 | 78 | disabled = 79 | * Specifies if the menu item is shown. Set to 1 to hide menu item. 80 | * Optional. 81 | * Default: 0 82 | 83 | sub_menu = 84 | * REMOVED. This setting is no longer used. 85 | 86 | is_sub_menu = 87 | * REMOVED. This setting is no longer used. 88 | 89 | [settings] 90 | * List of flags that modify the panels that are displayed in the time range picker. 91 | 92 | show_advanced = 93 | * Specifies if the 'Advanced' panel should be displayed in the time range picker. 94 | * Optional. 95 | * Default: true 96 | 97 | show_date_range = 98 | * Specifies if the 'Date Range' panel should be displayed in the time range picker. 99 | * Optional. 100 | * Default: true 101 | 102 | show_datetime_range = 103 | * Specifies if the 'Date & Time Range' panel should be displayed in the time range picker. 104 | * Optional. 105 | * Default: true 106 | 107 | show_presets = 108 | * Specifies if the 'Presets' panel should be displayed in the time range picker. 109 | * Optional. 110 | * Default: true 111 | 112 | show_realtime = 113 | * Specifies if the 'Realtime' panel should be displayed in the time range picker. 114 | * Optional. 115 | * Default: true 116 | 117 | show_relative = 118 | * Specifies if the 'Relative' panel should be displayed in the time range picker. 119 | * Optional. 120 | * Default: true 121 | -------------------------------------------------------------------------------- /ui-prefs.conf.spec: -------------------------------------------------------------------------------- 1 | # Version 10.0.2 2 | # 3 | ############################################################################ 4 | # OVERVIEW 5 | ############################################################################ 6 | # DEPRECATED. Web browser local storage now handles the persistence of user 7 | # interface preferences in Splunk Web. Do not modify this file. It might 8 | # be removed in a future release of Splunk software. 9 | # 10 | # This file contains descriptions of the settings that you can use to 11 | # configure the ui for a view. 12 | # 13 | # There is a ui-prefs.conf in $SPLUNK_HOME/etc/system/default directory. 14 | # Never change or copy the configuration files in the default directory. 15 | # The files in the default directory must remain intact and in their original 16 | # location. 17 | # 18 | # To set custom configurations, create a new file with the name ui-prefs.conf in 19 | # the $SPLUNK_HOME/etc/apps//local/ directory. Then add the specific 20 | # settings that you want to customize to the local configuration file. 21 | # For examples, see ui-prefs.conf.example. You must restart the Splunk instance 22 | # to enable configuration changes. 23 | # 24 | # To learn more about configuration files (including file precedence) see the 25 | # documentation located at 26 | # http://docs.splunk.com/Documentation/Splunk/latest/Admin/Aboutconfigurationfiles 27 | # 28 | ############################################################################ 29 | # GLOBAL SETTINGS 30 | ############################################################################ 31 | # Use the [default] stanza to define any global settings. 32 | # * You can also define global settings outside of any stanza, at the top of 33 | # the file. 34 | # * Each .conf file should have at most one default stanza. If there are 35 | # multiple default stanzas, settings are combined. In the case of 36 | # multiple definitions of the same setting, the last definition in the 37 | # file takes precedence. 38 | # * If a setting is defined at both the global level and in a specific 39 | # stanza, the value in the specific stanza takes precedence. 40 | 41 | [] 42 | * The name of the xml view file 43 | 44 | dispatch.earliest_time = 45 | dispatch.latest_time = 46 | 47 | ############################################################################ 48 | # Preference options 49 | ############################################################################ 50 | display.prefs.autoOpenSearchAssistant = 0 | 1 51 | display.prefs.timeline.height = 52 | display.prefs.timeline.minimized = 0 | 1 53 | display.prefs.timeline.minimalMode = 0 | 1 54 | display.prefs.aclFilter = [none|app|owner] 55 | display.prefs.appFilter = 56 | display.prefs.listMode = [tiles|table] 57 | display.prefs.searchContext = 58 | display.prefs.events.count = [10|20|50] 59 | display.prefs.statistics.count = [10|20|50|100] 60 | display.prefs.fieldCoverage = [0|.01|.50|.90|1] 61 | display.prefs.enableMetaData = 0 | 1 62 | display.prefs.showDataSummary = 0 | 1 63 | display.prefs.customSampleRatio = 64 | display.prefs.showSPL = 0 | 1 65 | 66 | * Support for this setting has been removed. The setting no longer has 67 | any effect. 68 | display.prefs.livetail = 0 | 1 69 | 70 | # Count per page for listing pages 71 | countPerPage = [10|20|50] 72 | 73 | ############################################################################ 74 | # Display Formatting Options 75 | ############################################################################ 76 | 77 | # General options 78 | display.general.enablePreview = 0 | 1 79 | 80 | # Event options 81 | display.events.fields = 82 | display.events.type = [raw|list|table] 83 | display.events.rowNumbers = 0 | 1 84 | display.events.maxLines = [0|5|10|20|50|100|200] 85 | display.events.raw.drilldown = [inner|outer|full|none] 86 | display.events.list.drilldown = [inner|outer|full|none] 87 | display.events.list.wrap = 0 | 1 88 | display.events.table.drilldown = 0 | 1 89 | display.events.table.wrap = 0 | 1 90 | 91 | # Statistics options 92 | display.statistics.rowNumbers = 0 | 1 93 | display.statistics.wrap = 0 | 1 94 | display.statistics.drilldown = [row|cell|none] 95 | 96 | # Visualization options 97 | display.visualizations.type = [charting|singlevalue] 98 | display.visualizations.custom.type = 99 | display.visualizations.chartHeight = 100 | display.visualizations.charting.chart = [line|area|column|bar|pie|scatter|radialGauge|fillerGauge|markerGauge] 101 | display.visualizations.charting.chart.style = [minimal|shiny] 102 | display.visualizations.charting.legend.labelStyle.overflowMode = [ellipsisEnd|ellipsisMiddle|ellipsisStart] 103 | 104 | # Patterns options 105 | display.page.search.patterns.sensitivity = 106 | 107 | # Page options 108 | display.page.search.mode = [fast|smart|verbose] 109 | display.page.search.timeline.format = [hidden|compact|full] 110 | display.page.search.timeline.scale = [linear|log] 111 | display.page.search.showFields = 0 | 1 112 | display.page.home.showGettingStarted = 0 | 1 113 | display.page.search.searchHistoryTimeFilter = [@d|-7d@d|-30d@d|-60d@d|-90d@d] 114 | display.page.search.searchHistoryCount = [10|20|50] 115 | -------------------------------------------------------------------------------- /checklist.conf.spec: -------------------------------------------------------------------------------- 1 | # Version 10.0.2 2 | # 3 | # This file contains the set of attributes and values you can use to 4 | # configure checklist.conf to run health checks in Monitoring Console. 5 | # Any health checks you add manually should be stored in your app's local directory. 6 | # 7 | [] 8 | * A unique string for the name of this health check. 9 | 10 | title = 11 | * (required) Displayed title for this health check. 12 | 13 | category = 14 | * (required) Category for overarching goups of health check items. 15 | 16 | tags = 17 | * (optional) Comma separated list of tags that apply to this health check. 18 | * If omitted user will not be able to run this health check as part of a subset of health checks. 19 | 20 | description = 21 | * (optional) A description of what this health check is checking. 22 | * If omitted no description will be displayed. 23 | 24 | failure_text = 25 | * If this health check did not pass, the text that you specify in this setting can 26 | explain what went wrong. 27 | * While this setting is optional, if you do not specify a value for this 28 | setting, this health check does not display any text that helps 29 | identify why it did not pass. 30 | 31 | suggested_action = 32 | * (optional) Suggested actions for diagnosing and fixing your Splunk installation 33 | so this health check is no longer failing. 34 | * If omitted no suggested actions for fixing this health check will be displayed. 35 | 36 | doc_link = 37 | * (optional) Location string for help documentation for this health check. 38 | * If omitted no help link will be displayed to help the user fix this health check. 39 | * Can be a comma separated list if more than one documentation link is needed. 40 | 41 | doc_title = 42 | * (optional) Title string for help documentation link for this health check. 43 | * Must be included if doc_link exists. 44 | * Will be inserted in the text for the help documentation link like so: "Learn more about $doc_title$" 45 | * If doc_link is a comma separated list, 46 | * then doc_title must also be a comma separated list with one title per item corresponding to doc_link. 47 | 48 | applicable_to_groups = 49 | * (optional) Comma separated list of applicable groups that this check should be run against. 50 | * If omitted this check item can be applied to all groups. 51 | 52 | environments_to_exclude = 53 | * (optional) Comma separated list of environments that the health check should not run in. 54 | * Possible environments are 'standalone' and 'distributed' 55 | * If omitted this check can be applied to all groups. 56 | 57 | disabled = 58 | * Disable this check item by setting to 1. 59 | * Default: 0 60 | 61 | search = 62 | * (required) Search string to be run to perform the health check. 63 | * Please separate lines by "\" if the search string has multiple lines. 64 | * 65 | * In single-instance mode, this search will be used to generate the final result. 66 | * In multi-instance mode, this search will generate one row per instance in the result table. 67 | * 68 | * THE SEARCH RESULT NEEDS TO BE IN THE FOLLOWING FORMAT: 69 | * |--------------------------------------------------------------- 70 | * | instance | metric | severity_level | 71 | * |--------------------------------------------------------------- 72 | * | | | | 73 | * |--------------------------------------------------------------- 74 | * | ... | ... | ... | 75 | * |--------------------------------------------------------------- 76 | * 77 | * (required, unique) is either the "host" field of events or the 78 | "splunk_server" field of "| rest" search. 79 | * In order to generate this field, please do things like: 80 | * ... | rename host as instance 81 | * or 82 | * ... | rename splunk_server as instance 83 | * 84 | * (optional) one ore more columns to "show your work" 85 | * This should be the data that severity_level is determined from. 86 | * The user should be able to look at this field to get some idea of what made the instance fail this check. 87 | * 88 | * (required) could be one of the following: 89 | * - -1 (N/A) means: "Not Applicable" 90 | * - 0 (ok) means: "all good" 91 | * - 1 (info) means: "just ignore it if you don't understand" 92 | * - 2 (warning) means: "well, you'd better take a look" 93 | * - 3 (error) means: "FIRE!" 94 | * 95 | * Please also note that the search string must contain either of the following 96 | token to properly scope to either a single instance or a group of instances, 97 | depending on the settings of checklistsettings.conf. 98 | $rest_scope$ - used for "|rest" search 99 | $hist_scope$ - used for historical search 100 | 101 | drilldown = 102 | * (optional) Link to a search or Monitoring Console dashboard for additional information. 103 | * Please note that the drilldown string must contain a $ delimited string. 104 | * This string must match one of the fields output by the search. 105 | * Most dashboards will need the name of the instance, eg $instance$ 106 | -------------------------------------------------------------------------------- /segmenters.conf.spec: -------------------------------------------------------------------------------- 1 | # Version 10.0.2 2 | # 3 | ############################################################################ 4 | # OVERVIEW 5 | ############################################################################ 6 | # This file contains descriptions of the settings that you can use to 7 | # configure the segmentation of events. 8 | # 9 | # There is a segmenters.conf file in the $SPLUNK_HOME/etc/system/default/ directory. 10 | # Never change or copy the configuration files in the default directory. 11 | # The files in the default directory must remain intact and in their original 12 | # location. 13 | # 14 | # To set custom configurations, create a new file with the name segmenters.conf in 15 | # the $SPLUNK_HOME/etc/system/local/ directory. Then add the specific settings 16 | # that you want to customize to the local configuration file. 17 | # For examples, see segmenters.conf.example. You must restart the Splunk instance 18 | # to enable configuration changes. 19 | # 20 | # To learn more about configuration files (including file precedence) see the 21 | # documentation located at 22 | # http://docs.splunk.com/Documentation/Splunk/latest/Admin/Aboutconfigurationfiles 23 | # 24 | # NOTE: Keep in mind the following limitations when working with event segmentation: 25 | # 1) The segmenters.conf file must not have conflicting definitions for 26 | # different installed apps. This means that definitions within a 27 | # segmenters.conf that is installed in one app cannot directly conflict 28 | # with definitions within a segmenters.conf that is installed 29 | # in another app. 30 | # 2) Definitions within segmenters.conf must match between search heads 31 | # and search peers. 32 | # 3) Definitions in segmenters.conf must be visible in the global context, 33 | # either within a [default] stanza, or outside of any stanza. 34 | # 35 | ############################################################################ 36 | # GLOBAL SETTINGS 37 | ############################################################################ 38 | # Use the [default] stanza to define any global settings. 39 | # * You can also define global settings outside of any stanza, at the top of 40 | # the file. 41 | # * Each .conf file should have at most one default stanza. If there are 42 | # multiple default stanzas, settings are combined. In the case of 43 | # multiple definitions of the same setting, the last definition in the 44 | # file takes precedence. 45 | # * If a setting is defined at both the global level and in a specific 46 | # stanza, the value in the specific stanza takes precedence. 47 | 48 | [] 49 | * Name your stanza. 50 | * Follow this stanza name with any number of the following setting/value 51 | pairs. 52 | * If you don't specify a setting/value pair, Splunk will use the default. 53 | 54 | MAJOR = 55 | * Set major breakers. 56 | * Major breakers are words, phrases, or terms in your data that are surrounded 57 | by set breaking characters. 58 | * By default, major breakers are set to most characters and blank spaces. 59 | * Typically, major breakers are single characters. 60 | * Note: \s represents a space; \n, a newline; \r, a carriage return; and 61 | \t, a tab. 62 | * Default is [ ] < > ( ) { } | ! ; , ' " * \n \r \s \t & ? + %21 %26 %2526 %3B %7C %20 %2B %3D -- %2520 %5D %5B %3A %0A %2C %28 %29 63 | 64 | 65 | MINOR = 66 | * Specifies minor breakers. 67 | * In addition to the segments specified by the major breakers, for each minor 68 | breaker found, Splunk indexes the token from the last major breaker to the 69 | current minor breaker and from the last minor breaker to the current minor 70 | breaker. 71 | * Default: / : = @ . - $ # % \\ _ 72 | 73 | INTERMEDIATE_MAJORS = true | false 74 | * Set this to "true" if you want an IP address to appear in typeahead as 75 | a, a.b, a.b.c, a.b.c.d 76 | * The typical negative effect on performance by setting to "true" is 30%. 77 | * Default: false 78 | 79 | FILTER = 80 | * If specified, segmentation will only take place if the regular expression matches. 81 | * Furthermore, segmentation will only take place on the first group of the 82 | matching regex. 83 | * Default: None 84 | 85 | LOOKAHEAD = 86 | * Specifies how far into a given event, in characters, the Splunk segments. 87 | * LOOKAHEAD is applied after any FILTER rules. 88 | * To disable segmentation, set to 0. 89 | * Default: -1 (read the whole event) 90 | 91 | MINOR_LEN = 92 | * Specifies how long a minor token can be. 93 | * Longer minor tokens are discarded without prejudice. 94 | * Default: -1 95 | 96 | MAJOR_LEN = 97 | * Specifies how long a major token can be. 98 | * Longer major tokens are discarded without prejudice. 99 | * Default: -1. 100 | 101 | MINOR_COUNT = 102 | * Specifies how many minor segments to create for each event. 103 | * After the specified number of minor segments are created, later minor segments are 104 | discarded without prejudice. 105 | * Default: -1 106 | 107 | MAJOR_COUNT = 108 | * Specifies how many major segments are created for each event. 109 | * After the specified number of major segments are created, later segments 110 | are discarded without prejudice. 111 | * Default: -1 112 | -------------------------------------------------------------------------------- /multikv.conf.spec: -------------------------------------------------------------------------------- 1 | # Version 10.0.2 2 | # 3 | # This file contains descriptions of the settings that you can use to 4 | # create multikv rules. Multikv is the process of extracting events 5 | # from table-like events, such as the output of top, ps, ls, netstat, etc. 6 | # 7 | # To set custom configurations, create a new file with the name multikv.conf in 8 | # the $SPLUNK_HOME/etc/system/local/ directory. Then add the specific settings 9 | # that you want to customize to the local configuration file. 10 | # For examples, see multikv.conf.example. You must restart the Splunk instance 11 | # to enable configuration changes. 12 | # 13 | # To learn more about configuration files (including file precedence) see the 14 | # documentation located at 15 | # http://docs.splunk.com/Documentation/Splunk/latest/Admin/Aboutconfigurationfiles 16 | # 17 | # NOTE: Only configure multikv.conf if the default multikv behavior does 18 | # not meet your needs. 19 | 20 | # A table-like event includes a table consisting of four sections: 21 | # 22 | #--------------------------------------------------------------------------------------- 23 | # Section Name | Description 24 | #--------------------------------------------------------------------------------------- 25 | # pre | optional: info/description (for example: the system summary output in top) 26 | # header | optional: if not defined, fields are named Column_N 27 | # body | required: the body of the table from which child events are constructed 28 | # post | optional: info/description 29 | #--------------------------------------------------------------------------------------- 30 | 31 | # NOTE: Each section must have a definition and a processing component. See 32 | # below. 33 | 34 | [] 35 | * Name of the stanza to use with the multikv search command, for example: 36 | '| multikv conf= rmorig=f | ....' 37 | * Follow this stanza name with any number of the following setting/value pairs. 38 | 39 | ##################### 40 | # Section Definition 41 | ##################### 42 | # Define where each section begins and ends. 43 | 44 |
.start = 45 | * A line matching this regex denotes the start of this section (inclusive). 46 | 47 | OR 48 | 49 |
.start_offset = 50 | * Line offset from the start of an event or the end of the previous section 51 | (inclusive). 52 | * Use this if you cannot define a regex for the start of the section. 53 | 54 |
.member = 55 | * A line membership test. 56 | * Member if lines match the regex. 57 | 58 |
.end = 59 | * A line matching this regex denotes the end of this section (exclusive). 60 | 61 | OR 62 | 63 |
.linecount = 64 | * Specify the number of lines in this section. 65 | * Use this if you cannot specify a regex for the end of the section. 66 | 67 | ##################### 68 | # Section processing 69 | ##################### 70 | # Set processing for each section. 71 | 72 |
.ignore = [_all_|_none_|_regex_ ] 73 | * Determines which member lines will be ignored and not processed further. 74 | 75 |
.replace = = , = ,... 76 | * List of the form: "toReplace" = "replaceWith". 77 | * Can have any number of quoted string pairs. 78 | * For example: "%" = "_", "#" = "_" 79 | 80 |
.tokens = [|||] 81 | * See below for definitions of each possible token: chopper, tokenizer, aligner, 82 | and token-list. 83 | 84 | = _chop_, 85 | * A token that transform each string into a list of tokens specified by 86 | . 87 | * is a list of (offset, length) tuples, separated by commas. Do not 88 | contain tuples within parentheses. 89 | * Example: body.tokens = _chop_, 0, 9, 10, 4, 15, 4, 20, 7 90 | 91 | 92 | = _tokenize_ ()? 93 | * A token used to tokenize the string using the delimiter characters. 94 | * This generates at most 'max_tokens' number of tokens. 95 | * Set 'max_tokens' to: 96 | * -1 for complete tokenization. 97 | * 0 to inherit from the previous section, usually the header section. 98 | * A non-zero number for a specific token count. 99 | * If tokenization is limited by the 'max_tokens', the rest of the string is 100 | added onto the last token. 101 | * is a comma-separated list of delimiting characters. 102 | * - A Boolean that specifies whether to consume consecutive 103 | delimiters. Set to "false" or "0" if you want consecutive delimiters treated 104 | as empty values. 105 | * Default: true 106 | 107 | = _align_, , , 108 | * A token that generates tokens by extracting text aligned to the specified header fields. 109 | * header_string: A complete or partial header field value that the columns 110 | are aligned with. 111 | * side: Either L or R (for left or right align, respectively). 112 | * max_width: The maximum width of the extracted field. 113 | * Set 'max_width' to -1 for automatic width. This expands the field until any 114 | of the following delimiters are found: " ", "\t" 115 | 116 | = _token_list_ 117 | * A token that defines a list of static tokens in a section. 118 | * This setting is useful for tables with no header, 119 | for example: the output of 'ls -lah' which misses a header altogether. 120 | -------------------------------------------------------------------------------- /messages.conf.spec: -------------------------------------------------------------------------------- 1 | # Version 10.0.2 2 | # 3 | # This file contains attribute/value pairs for configuring externalized strings 4 | # in messages.conf. 5 | # 6 | # There is a messages.conf in $SPLUNK_HOME/etc/system/default/. To set custom 7 | # configurations, place a messages.conf in $SPLUNK_HOME/etc/system/local/. You 8 | # must restart the instance to enable configurations. 9 | # 10 | # To learn more about configuration files (including precedence) please see the 11 | # documentation located at 12 | # http://docs.splunk.com/Documentation/Splunk/latest/Admin/Aboutconfigurationfiles 13 | # 14 | # For the full list of all messages that can be overridden, check out 15 | # $SPLUNK_HOME/etc/system/default/messages.conf 16 | # 17 | # The full name of a message resource is component_key + ':' + message_key. 18 | # After a descriptive message key, append two underscores, and then use the 19 | # letters after the % in printf style formatting, surrounded by underscores. 20 | # 21 | # For example, assume the following message resource is defined: 22 | # 23 | # [COMPONENT:MSG_KEY__D_LU_S] 24 | # message = FunctionX returned %d, expected %lu. 25 | # action = See %s for details. 26 | # 27 | # The message key expects 3 printf-style arguments: %d, %lu, %s. These arguments 28 | # can be in either the message or action fields but must appear in the same order. 29 | # 30 | # In addition to the printf style arguments above, some custom UI patterns are 31 | # allowed in the message and action fields. These patterns are rendered by 32 | # the UI before displaying the text. 33 | # 34 | # For example, a message can link to a specific Splunk Web page using this pattern: 35 | # 36 | # [COMPONENT:MSG_LINK__S] 37 | # message = License key '%s' is invalid. 38 | # action = See [[/manager/system/licensing|Licensing]] for details. 39 | # 40 | # Another custom formatting option is for date/time arguments. If the argument 41 | # should be rendered in local time and formatted to a specific language, 42 | # provide the unix timestamp and prefix the printf style argument with "$t". 43 | # This indicates that the argument is a timestamp (not a number) and 44 | # should be formatted into a date/time string. 45 | # 46 | # The language and timezone used to render the timestamp is determined during 47 | # render time given the current user viewing the message. It is not required to 48 | # provide these details here. 49 | # 50 | # For example, assume the following message resource is defined: 51 | # 52 | # [COMPONENT:TIME_BASED_MSG__LD] 53 | # message = Component exception @ $t%ld. 54 | # action = See splunkd.log for details. 55 | # 56 | # The first argument is prefixed with "$t", and therefore will be treated as a 57 | # unix timestamp. It will be formatted as a date/time string. 58 | # 59 | # For these and other examples, check out 60 | # $SPLUNK_HOME/etc/system/README/messages.conf.example 61 | # 62 | 63 | 64 | ############################################################################ 65 | # Component 66 | ############################################################################ 67 | 68 | [] 69 | 70 | name = 71 | * The human-readable name used to prefix all messages under this component. 72 | * Required. 73 | * No default. 74 | 75 | ############################################################################ 76 | # Message 77 | ############################################################################ 78 | 79 | [:] 80 | 81 | message = 82 | * String describing what and why something happened. 83 | * Required. 84 | 85 | message_alternate = 86 | * An alternative static string for this message. 87 | * Any arguments are ignored. 88 | * Default: empty string 89 | 90 | action = 91 | * A string that describes the suggested next step to take in reaction 92 | to the message. 93 | * Default: empty string 94 | 95 | severity = critical|error|warn|info|debug 96 | * The severity of the message. 97 | * Default: warn 98 | 99 | capabilities = 100 | * A comma-separated list of the capabilities required to view the message. 101 | * Default: empty string 102 | 103 | roles = 104 | * A comma-separated list of the roles required to view the message. 105 | * If a user belongs to any of these roles, the user will see the message. 106 | * If a role scope is specified with this setting, it takes precedence over the 107 | "capabilities" setting, which is ignored for the message. 108 | * This setting should be manually configured with any system- or user-created 109 | role. 110 | * Default (Splunk Enterprise): not set 111 | 112 | help = 113 | * The location string to link users to specific documentation. 114 | * No default. 115 | 116 | target = [auto|ui|log|ui,log|none] 117 | * Sets the message display target. 118 | * "auto" means the message display target is automatically determined by 119 | context. 120 | * "ui" messages are displayed in Splunk Web and can be passed on from 121 | search peers to search heads in a distributed search environment. 122 | * "log" messages are displayed only in the log files for the instance under 123 | the BulletinBoard component, with log levels that respect their message 124 | severity. For example, messages with severity "info" are displayed as INFO 125 | log entries. 126 | * "ui,log" combines the functions of the "ui" and "log" options. 127 | * "none" completely hides the message. (Please consider using "log" and 128 | reducing severity instead. Using "none" might impact diagnosability.) 129 | * Default: auto 130 | -------------------------------------------------------------------------------- /ui-tour.conf.spec: -------------------------------------------------------------------------------- 1 | # Version 10.0.2 2 | # 3 | # This file contains the available product tours for Splunk onboarding. 4 | # 5 | # There is a default ui-tour.conf in $SPLUNK_HOME/etc/system/default. 6 | # To create custom tours, place a ui-tour.conf in 7 | # $SPLUNK_HOME/etc/system/local/. To create custom tours for an app, place 8 | # ui-tour.conf in $SPLUNK_HOME/etc/apps//local/. 9 | # 10 | # To learn more about configuration files (including precedence) see the 11 | # documentation located at 12 | # http://docs.splunk.com/Documentation/Splunk/latest/Admin/Aboutconfigurationfiles 13 | # 14 | # GLOBAL SETTINGS 15 | # Use the [default] stanza to define any global settings. 16 | # * You can also define global settings outside of any stanza, at the top of 17 | # the file. 18 | # * This is not a typical conf file for configurations. It is used to set/create 19 | # tours to demonstrate product functionality to users. 20 | # * If an attribute is defined at both the global level and in a specific 21 | # stanza, the value in the specific stanza takes precedence. 22 | 23 | [] 24 | * The name of the UI tour. 25 | 26 | useTour = 27 | * Used to redirect this tour to another when called by Splunk. 28 | * Optional. 29 | 30 | nextTour = 31 | * Determines what tour to start when the current tour is finished. 32 | * Optional. 33 | 34 | intro = 35 | * A custom string used in a modal to describe which tour is about to be taken. 36 | * Optional. 37 | 38 | type = image|interactive 39 | * Determines the type of tour. 40 | * Required. 41 | * If set to "image", the tour is a simple image tour where the user clicks through 42 | a series of screenshots or images. 43 | * If set to "interactive", the user participates in an interactive UI tour. 44 | 45 | label = 46 | * The identifying name for the tour used in the tour creation app. 47 | * Required only if the tour is being linked to another tour using the 'nextTour' setting. 48 | 49 | tourPage = 50 | * The Splunk view the tour is associated with. 51 | * Required only if the tour is being linked to another tour using the 'nextTour' setting. 52 | 53 | managerPage = 54 | * Used to signifiy that the 'tourPage' is a manager page. This changes the URL of 55 | when the 'tourPage' is rendered from "/app/{app}/{view}" to "/manager/{app}/{view}". 56 | * Optional 57 | 58 | viewed = 59 | * Whether the tour has been viewed by a user. 60 | * Set by Splunk. 61 | 62 | skipText = 63 | * The string for the skip button. 64 | * Optional. 65 | * This setting applies to both interactive and image tours. 66 | * Default: Skip tour 67 | 68 | doneText = 69 | * The string for the button at the end of a tour. 70 | * Optional. 71 | * This setting applies to both interactive and image tours. 72 | * Default: Try it now 73 | 74 | doneURL = 75 | * A Splunk URL that redirects the user once the tour is over and they click a 76 | link or button to exit. 77 | * Optional. 78 | * Helpful to use with the 'doneText' setting to specify a starting location for the user 79 | after they take the tour. 80 | * The Splunk link is formed after the localization portion of the full URL. For example, if the link 81 | * is localhost:8000/en-US/app/search/reports, the doneURL will be "app/search/reports". 82 | 83 | forceTour = 84 | * Used with auto tours to force users to take the tour and not be able to skip. 85 | * Optional 86 | 87 | ############################ 88 | ## For image-based tours 89 | ############################ 90 | # You can list as many images with captions as you want. Each new image is created by 91 | # incrementing the number. 92 | 93 | imageName = 94 | * The name of the image file. 95 | * For example, 'example.png'. 96 | * Required but optional only after the first is set. 97 | 98 | imageCaption = 99 | * The caption string for the corresponding image. 100 | * Optional. 101 | 102 | imgPath = 103 | * The subdirectory relative to Splunk's 'img' directory in which users put the images. 104 | This will be appended to the URL for image access and not make a server request within Splunk. 105 | Ex) If the user puts images in a subdirectory 'foo': imgPath = /foo. 106 | Ex) If within an app, imgPath = /foo will point to the app's img path of 107 | appserver/static/img/foo 108 | * Required only if images are not in the main 'img' directory. 109 | 110 | context = > 111 | * String consisting of either 'system' or the app name where the tour images are to be stored. 112 | * Required. 113 | * If set to "system", it reverts to Splunk's native img path. 114 | 115 | ############################ 116 | ## For interactive tours 117 | ############################ 118 | # You can list as many steps with captions as you want. Each new step is created by 119 | # incrementing the number. 120 | 121 | urlData = 122 | * The string of any querystring variables used with the 'tourPage' setting 123 | to create the full URL executing this tour. 124 | * Optional. 125 | * Don't add "?" to the beginning of this string. 126 | 127 | stepText = 128 | * The string used in a specified step to describe the UI being showcased. 129 | * Required but optional only after the first is set. 130 | 131 | stepElement = 132 | * The UI selector used for highlighting the DOM element for the corresponding step. 133 | * Optional. 134 | 135 | stepPosition = 136 | * String that sets the position of the tooltip for the corresponding step. 137 | * Optional. 138 | 139 | stepClickEvent = 140 | * Sets a specific click event for an element for the corresponding step. 141 | * Optional. 142 | 143 | stepClickElement = 144 | * The UI selector used for a DOM element used in conjunction with `stepClickEvent`. 145 | * Optional. 146 | -------------------------------------------------------------------------------- /agent_management.conf.spec: -------------------------------------------------------------------------------- 1 | # Version 10.0.2 2 | # 3 | ############################################################################ 4 | # OVERVIEW 5 | ############################################################################ 6 | # This file contains descriptions of the settings that you can use to 7 | # configure the Agent Management feature. 8 | # 9 | # There is an agent_management.conf file in the $SPLUNK_HOME/etc/system/default/ directory. 10 | # Never change or copy the configuration files in the default directory. 11 | # The files in the default directory must remain intact and in their original 12 | # location. 13 | # 14 | # To set custom configurations, create a new file with the name agent_management.conf in 15 | # the $SPLUNK_HOME/etc/system/local/ directory. Then add the specific settings 16 | # that you want to customize to the local configuration file. 17 | # You must restart the Splunk instance to enable configuration changes. 18 | # 19 | # To learn more about configuration files (including file precedence) see the 20 | # documentation located at 21 | # http://docs.splunk.com/Documentation/Splunk/latest/Admin/Aboutconfigurationfiles 22 | 23 | [general] 24 | * Agent Management helper process settings. This stanza must exist. 25 | 26 | fallback_to_deployment_server_ui = 27 | * Indicates which UI the forwarder_management should use. When set to "false", the forwarder_management uses the agent management UI, When set to "true", the forwarder_management uses the deployment server UI. 28 | * Default: false. 29 | 30 | log_level = 31 | * How verbose the logs are. 32 | * log level = DEBUG | INFO | WARN | ERROR | FATAL 33 | * Default: INFO 34 | 35 | request_timeout = 36 | * A global request timeout setting that defines how long the Agent Manager processes a request before it times out. 37 | * Valid values are numbers followed by a time unit. 38 | * Valid time units are "ms", "s", "m", "h". 39 | * Default: 90s. 40 | 41 | [search_client] 42 | * Agent Management helper process settings for the SPL subsystem. 43 | 44 | polling_interval = 45 | * How long the Agent Manager waits between HTTP calls to retrieve search results. 46 | * Valid values are numbers followed by a time unit. 47 | * Valid time units are "ms", "s", "m", "h". 48 | * Default: 500ms. 49 | 50 | query_agents_with_error = 51 | * The SPL search that is run to obtain a list of agents with a status of "error". 52 | 53 | query_agents_offline = 54 | * The SPL search that is run to obtain a list of offline agents. 55 | 56 | query_agents_updated_config = 57 | * The SPL search that is run to obtain a list of agents with updated configurations. 58 | 59 | query_agent_version = 60 | * The SPL search that is run to obtain a list of agents and their corresponding versions. 61 | 62 | query_app_summary = 63 | * The SPL search that is run to obtain a summary of the status of each application. 64 | 65 | [splunkd_client] 66 | * Agent Management helper process settings that are used for communicating with splunkd. 67 | 68 | connection_pool_size = 69 | * The number of HTTP connections that can be handled simultaneously by the Agent Manager. 70 | * Default: 10 71 | 72 | request_timeout = 73 | * A time limit for HTTP requests made by the Agent Manager to splunkd. 74 | * Valid values are numbers followed by a time unit. 75 | * Valid time units are "ms", "s", "m", "h". 76 | * Default: 60s. 77 | 78 | connection_keep_alive = 79 | * The maximum amount of time an idle connection made by the 80 | Agent Manager to splunkd remains idle before closing. 81 | * This value must be set lower than the 'busyKeepAliveIdleTimeout' 82 | setting in server.conf, '[httpServer]' stanza. 83 | * Valid values are numbers followed by a time unit. 84 | * Valid time units are "ms", "s", "m", and "h". 85 | * Default: 11s 86 | 87 | [settings_sync] 88 | * The Agent Management helper process settings for the settings synchronization subsystem. 89 | * The settings synchronization subsystem periodically obtains the Deployment Server settings. 90 | 91 | polling_interval = 92 | * How long the Agent Manager waits between HTTP calls to retrieve the Deployment Server settings. 93 | * Valid values are numbers followed by a time unit. 94 | * Valid time units are "ms", "s", "m", "h". 95 | * Default: 5m. 96 | 97 | [effective_configuration] 98 | * Settings dedicated to the Effective Configuration feature. 99 | 100 | max_size = 101 | * The maximum size, in megabytes, of the effective configuration 102 | that the universal forwarder sends to the Agent Manager, and that 103 | the deployment server saves. 104 | * The effective configuration of the forwarder is comprised of 105 | the rules of operation and data processing for the forwarder, 106 | specifically, the configuration as shown by various 'splunk 107 | btool' commands. 108 | * If the size of the effective configuration for a forwarder 109 | exceeds this value, then the Agent Manager rejects the payload 110 | as too large, and the deployment server does not save 111 | the configuration. 112 | * Must be a positive number. 113 | * Default: 16 114 | 115 | cleanup_threshold = 116 | * The limit of the total size of all effective configurations 117 | data on the disk (in MB). When this limit is exceeded, 118 | the scheduled cron cleanup job will perform the cleanup. 119 | * There is no maximum value for this setting, a very large value 120 | (over 10000) can cause the cleanup to never run. 121 | * Must be a positive number. 122 | * Default: 6144 123 | 124 | cleanup_schedule = 125 | * The cron schedule for cleaning up the effective configuration data. 126 | * The default schedule is set to 3:00 AM every day in the local time zone. 127 | * To turn off the effective configuration cleanup, set the value to "disabled". 128 | * Must be in the cron format. 129 | * Default: 0 3 * * * 130 | -------------------------------------------------------------------------------- /field_filters.conf.spec: -------------------------------------------------------------------------------- 1 | # Version 10.0.2 2 | # 3 | ############################################################################ 4 | READ THIS FIRST: Should you deploy field filters in your organization? 5 | ############################################################################ 6 | # Field filters is a powerful tool that can help many organizations protect 7 | # their sensitive fields from prying eyes, but it might not be a good fit 8 | # for everyone. If your organization runs Splunk Enterprise Security or if 9 | # your users rely heavily on commands that field filters restricts by default 10 | # (mpreview, mstats, tstats, typeahead, and walklex), do not use field filters 11 | # in production until you have thoroughly planned how you will work around 12 | # these restricted commands. For more information about restricted commands, 13 | # search for "Plan for field filters in your organization" in Securing 14 | # Splunk Platform in the Splunk Docs. 15 | # 16 | ############################################################################ 17 | # OVERVIEW 18 | ############################################################################ 19 | # This file contains descriptions of the settings that you can use to 20 | # configure field filters in the field_filters.conf file. 21 | # 22 | # To learn about how to protect PII, PHI, and other sensitive data with 23 | # field filters, search for "Protect PII, PHI, and other sensitive data 24 | # with field filters" in Securing Splunk Platform in the Splunk Docs. 25 | # 26 | # Configurations for field filters are stored in 27 | # etc/system/local/field_filters.conf. 28 | # To customize your configuration, create a field_filters.conf file 29 | # at $SPLUNK_HOME/etc/system/local if you are using *nix, or 30 | # %SPLUNK_HOME%\etc\system\local if you are using Windows. 31 | 32 | [] 33 | * Field filter names can contain only alphanumeric characters and 34 | underscores "_". 35 | * Each field filter must have a unique name. 36 | 37 | action = = 38 | * BNF for syntax: 39 | ::= = 40 | ::= null() | sha256() | sha512() | 41 | | sed() 42 | ::= 43 | * An operator for an action can be one of the following: 44 | * null(): Removes the from results of 45 | searches to which this filter is applied. 46 | For example: action = "password"=null() 47 | * sha256(): Hashes the value with a SHA-256 hash 48 | wherever the appears in results of searches to which this 49 | filter is applied. 50 | For example: action = "userid"=sha256() 51 | * sha512(): Hashes the value with a SHA-512 hash 52 | wherever the appears in results of searches to which this 53 | filter is applied. 54 | For example: action = "userid"=sha512() 55 | * : Replaces the value 56 | with the specified string wherever the value appears in results 57 | of searches to which this filter is applied. 58 | For example: action = "ssn"="xxx-xx-xxx" 59 | * sed(): Uses the sed expression on the '_raw' field to 60 | which this filter is applied. The sed expression replaces strings in raw 61 | events that are matched by a regular expression (s) or transliterates 62 | characters found in raw events with corresponding characters 63 | provided by the sed expression (y). 64 | For example: action = "_raw"=sed("s/drop_count=0/drop_count=ZERO/g") 65 | * is a sequence of characters enclosed in double quotation 66 | marks (" "). Use \ to escape the characters \ and " in a string literal 67 | (\\ and \" respectively). 68 | * No default. 69 | * Required. 70 | 71 | limit = [::] 72 | * Apply the action of a field filter to events matching the specified 73 | 'host', 'source', or 'sourcetype' limit. 74 | * Use to specify the limit type: 'host', 'source', or 'sourcetype'. 75 | You can't specify multiple limit types in a single field filter. 76 | * Use to specify a value or a list of comma-separated values for 77 | the specified limit. 78 | * Example 1: limit = sourcetype::access_combined 79 | The field filter acts on events that match the 'access_combined' source type. 80 | * Example 2: limit = sourcetype::st1,st2,st3 81 | The field filter acts on events that match any of the following source types: 82 | 'st1', 'st2', or 'st3'. 83 | * No default. 84 | * Optional. 85 | 86 | index = 87 | * Apply the action of a field filter to events from the specified indexes. 88 | * Use to specify an index name or a list of comma-separated index 89 | names. 90 | * Example 1: index = myidx 91 | A field filter acts on events from the 'myidx' index. 92 | * Example 2: index = idx1,idx2,idx3 93 | A field filter acts on events from any of the following indexes: 94 | 'idx1', 'idx2', or 'idx3'. 95 | * No default. 96 | * Required. 97 | 98 | description = 99 | * Used to store a description of the field filter. 100 | * No default. 101 | * Optional. 102 | 103 | roleExemptions = 104 | * To maintain data security and integrity, do not manually change this setting. 105 | * Identifies the user roles that are exempt from this field filter. 106 | * This setting is automatically generated by Splunk Web or Splunk platform 107 | REST API requests, and should not be manually edited. 108 | * indicates a role name or a list of comma-separated role 109 | names that are exempt from this field filter. 110 | * This setting and the 'fieldFilterExemption' setting in the 'authorize.conf' 111 | file are both required to exempt a role from a field filter. 112 | * Example 1: roleExemptions = myrole 113 | A field filter is not applied to searches of a user who has the role "myrole". 114 | * Example 2: roleExemptions = role_1,role_2,role_3 115 | A field filter is not applied to searches of a user who has any of the 116 | following roles: "role_1", "role_2", "role_3". 117 | * No default. 118 | * Optional. 119 | -------------------------------------------------------------------------------- /visualizations.conf.spec: -------------------------------------------------------------------------------- 1 | # Version 10.0.2 2 | # 3 | # This file contains definitions for visualizations an app makes available 4 | # to the system. If you want your app to share visualizations with the system, 5 | # include a visualizations.conf in $SPLUNK_HOME/etc/apps//default 6 | # Within the file, include one stanza for each visualization to be shared. 7 | # 8 | # To learn more about configuration files (including precedence) please see 9 | # the documentation located at 10 | # http://docs.splunk.com/Documentation/Splunk/latest/Admin/Aboutconfigurationfiles 11 | 12 | #******* 13 | # The following attribute/value pairs are possible for stanzas in visualizations.conf: 14 | #******* 15 | 16 | [] 17 | * Create a unique stanza name for each visualization that matches the visualization's name. 18 | * Follow the stanza name with any number of the following attribute/value 19 | pairs. 20 | * If you don't specify an attribute, Splunk uses the default. 21 | 22 | disabled = 23 | * Disable the visualization by setting to true. 24 | * Optional. 25 | * If set to true, the visualization is not available anywhere in Splunk 26 | * Default: false. 27 | 28 | allow_user_selection = 29 | * Whether the visualization is available for users to select. 30 | * Optional. 31 | * Default: true 32 | 33 | label = 34 | * The human-readable label or title of the visualization. 35 | * Required. 36 | * The label is used in dropdowns and lists as the name of the visualization. 37 | * Default: . 38 | 39 | description = 40 | * A short description that appears in the visualizations picker. 41 | * Required. 42 | * Default: "" 43 | 44 | search_fragment = 45 | * An example part of a search that formats the data correctly for the visualization. 46 | * Required. 47 | * Typically the last pipe or pipes in a search query. 48 | * Default: "" 49 | 50 | default_height = 51 | * The default height of the visualization, in pixels. 52 | * Optional. 53 | * Default: 250 54 | 55 | default_width = 56 | * The default width of the visualization, in pixels 57 | * Optional. 58 | * Default: 250 59 | 60 | min_height = 61 | * The minimum height the visualizations can be rendered in, in pixels. 62 | * Optional. 63 | * Default: 50 64 | 65 | min_width = 66 | * The minimum width the visualizations can be rendered in, in pixels. 67 | * Optional. 68 | * Default: 50 69 | 70 | max_height = 71 | * The maximum height the visualizations can be rendered in, in pixels. 72 | * Optional. 73 | * Default: unbounded 74 | 75 | max_width = 76 | * The maximum width the visualizations can be rendered in, in pixels. 77 | * Optional. 78 | * Default: unbounded. 79 | 80 | trellis_default_height = 81 | * The default height of the visualization if using trellis layout. 82 | * Default: 400 83 | 84 | trellis_min_widths = 85 | * The minimum width of a visualization if using trellis layout. 86 | * Default: undefined 87 | 88 | trellis_per_row = 89 | * The number of trellises per row. 90 | * Default: undefined 91 | 92 | # The following settings define data sources supported by the visualization and their initial fetch parameters for search results data: 93 | 94 | data_sources = 95 | * A list of data source types supported by the visualization. 96 | * The visualization system currently provides the following types of data sources: 97 | * - primary: Main data source driving the visualization. 98 | * - annotation: Additional data source for time series visualizations to show discrete event annotation on the time axis. 99 | * Default: primary 100 | 101 | data_sources..params.output_mode = [json_rows|json_cols|json] 102 | * The data format that the visualization expects. Must be one of the following: 103 | - "json_rows": corresponds to SplunkVisualizationBase.ROW_MAJOR_OUTPUT_MODE 104 | - "json_cols": corresponds to SplunkVisualizationBase.COLUMN_MAJOR_OUTPUT_MODE 105 | - "json": corresponds to SplunkVisualizationBase.RAW_OUTPUT_MODE 106 | * Optional. 107 | * Requires the javascript implementation to supply initial data parameters. 108 | * Default: undefined 109 | 110 | data_sources..params.count = 111 | * How many rows of results to request 112 | * Optional. 113 | * Default: 1000 114 | 115 | data_sources..params.offset = 116 | * The index of the first requested result row. 117 | * Optional. 118 | * Default: 0 119 | 120 | data_sources..params.sort_key = 121 | * The field name to sort the results by. 122 | * Optional. 123 | 124 | data_sources..params.sort_direction = [asc|desc] 125 | * The direction of the sort: 126 | - asc: Sort in ascending order 127 | - desc: Sort in descending order 128 | * Optional. 129 | * Default: desc 130 | 131 | data_sources..params.search = 132 | * A post-processing search to apply to generate the results. 133 | * Optional. 134 | * There is no default. 135 | 136 | data_sources..mapping_filter = 137 | 138 | data_sources..mapping_filter.center = 139 | 140 | data_sources..mapping_filter.zoom = 141 | 142 | supports_trellis = 143 | * Whether trellis layout is available for this visualization. 144 | * Optional. 145 | * Default: false 146 | 147 | supports_drilldown = 148 | * Whether the visualization supports drilldown. 149 | * Optional. 150 | * A drilldown is a responsive actions triggered when users click on the visualization. 151 | * Default: false 152 | 153 | supports_export = 154 | * Whether the visualization supports being exported as a PDF. 155 | * Optional. 156 | * This setting has no effect in third-party visualizations. 157 | * Default: false 158 | 159 | # Internal settings for bundled visualizations. They are ignored for third party visualizations. 160 | core.type = 161 | core.viz_type = 162 | core.charting_type = 163 | core.mapping_type = 164 | core.order = 165 | core.icon = 166 | core.preview_image = 167 | core.recommend_for = 168 | core.height_attribute = 169 | 170 | -------------------------------------------------------------------------------- /workload_pools.conf.spec: -------------------------------------------------------------------------------- 1 | # Version 10.0.2 2 | # 3 | ############################################################################ 4 | # OVERVIEW 5 | ############################################################################ 6 | # This file contains descriptions of the settings that you can use to 7 | # configure workloads for splunk. 8 | # 9 | # There is a workload_pools.conf file in the $SPLUNK_HOME/etc/system/default/ directory. 10 | # Never change or copy the configuration files in the default directory. 11 | # The files in the default directory must remain intact and in their original 12 | # location. 13 | # 14 | # To set custom configurations, create a new file with the name workload_pools.conf in 15 | # the $SPLUNK_HOME/etc/system/local/ directory. Then add the specific settings 16 | # that you want to customize to the local configuration file. 17 | # For examples, see workload_pools.conf.example. You may need to restart the Splunk instance 18 | # to enable configuration changes. 19 | # 20 | # To learn more about configuration files (including file precedence) see the 21 | # documentation located at 22 | # http://docs.splunk.com/Documentation/Splunk/latest/Admin/Aboutconfigurationfiles 23 | # 24 | ############################################################################ 25 | # GLOBAL SETTINGS 26 | ############################################################################ 27 | # Use the [default] stanza to define any global settings. 28 | # * You can also define global settings outside of any stanza, at the top of 29 | # the file. 30 | # * Each .conf file should have at most one default stanza. If there are 31 | # multiple default stanzas, settings are combined. In the case of 32 | # multiple definitions of the same setting, the last definition in the 33 | # file takes precedence. 34 | # * If a setting is defined at both the global level and in a specific 35 | # stanza, the value in the specific stanza takes precedence. 36 | # 37 | # CAUTION: Do not alter the settings in the workload_pools.conf file unless you know 38 | # what you are doing. Improperly configured worloads might result in 39 | # splunkd crashes, memory overuse, or both. 40 | 41 | [general] 42 | enabled = 43 | * Specifies whether workload management has been enabled on the system or not. 44 | * This setting only applies to the default stanza as a global setting. 45 | * Default: false 46 | 47 | default_pool = 48 | * Specifies the default workload pool to be used at runtime for search workloads. 49 | * This setting is maintained for backward compatibility with previous releases. 50 | Its value is set but is not used in the current release. This value matches the 51 | default_pool value of [workload_category:search]. 52 | * This setting is only applicable when workload management has been enabled in 53 | the system. If workload management has been enabled, this is a mandatory setting. 54 | 55 | ingest_pool = 56 | * Specifies the workload pool for splunkd and helper processes that control 57 | data ingestion and related actions in the Splunk deployment. 58 | * This setting is maintained for backward compatibility with previous releases. 59 | Its value is set but is not used in the current release. This value matches the 60 | default_pool value of [workload_category:ingest]. 61 | * This setting is only applicable when workload management has been enabled in 62 | the system. If workload management has been enabled, this is a mandatory setting. 63 | 64 | workload_pool_base_dir_name = 65 | * Specifies the base controller directory name for Splunk cgroups on Linux that is 66 | used by a Splunk deployment. 67 | * Workload pools created from the workload management page are all created relative 68 | to this base directory. 69 | * This setting is only applicable when workload management has been enabled in 70 | the system. If workload management has been enabled, this is a mandatory setting. 71 | * Default: splunk 72 | 73 | [workload_pool:] 74 | cpu_weight = 75 | * Specifies the cpu weight to be used by this workload pool. 76 | * This is a percentage of the total cpu resources available to the category to 77 | which the pool belongs. 78 | * Default: not set 79 | 80 | mem_weight = 81 | * Specifies the memory weight to be used by this workload pool. 82 | * This is a percentage of the total memory resources available to the category to 83 | which the pool belongs. 84 | * This is a mandatory parameter for the creation of a workload pool and only 85 | allows positive integral values. 86 | * Default: not set 87 | 88 | category = 89 | * Specifies the category to which this workload pool belongs. 90 | * Required to create a workload pool. 91 | * Valid categories are "search","misc" and "ingest". 92 | * The "ingest" and "misc" categories each contain one pool only, which is the 93 | default_pool for the respective category. 94 | * Default: not set 95 | 96 | default_category_pool = 97 | * Specifies if this pool is the default pool for its category. 98 | * Admin users can specify workload pools associated with roles. If no workload 99 | pool is found, the default_pool defined for this category is used. 100 | * The first pool that is added to a category has this value set to 1. 101 | * All other pools have this value set to 0. 102 | * Required if workload management is enabled. 103 | * Default: false 104 | 105 | [workload_category:] 106 | * Specifies the resource allocation for workload pools in this category. 107 | The value can be "search","ingest' or "misc". 108 | cpu_weight = 109 | * Specifies the cpu weight to be used by this category. 110 | * This is a percentage of the total cpu resources available to all categories. 111 | * This parameter exists in the default configuration and is editable with values 112 | that are positive integer values less than 100. 113 | * Default is set. 114 | 115 | mem_weight = 116 | * Specifies the memory weight to be used by this category. 117 | * This is a percentage of the total memory resources available to all categories. 118 | * This parameter exists in the default configuration and is editable with values 119 | that are positive integer values less than 100. 120 | * Default is set. 121 | -------------------------------------------------------------------------------- /fields.conf.spec: -------------------------------------------------------------------------------- 1 | # Version 10.0.2 2 | # 3 | ############################################################################ 4 | # OVERVIEW 5 | ############################################################################ 6 | # This file contains possible attribute and value pairs for: 7 | # * Telling Splunk how to handle multi-value fields. 8 | # * Distinguishing indexed and extracted fields. 9 | # * Improving search performance by telling the search processor how to 10 | # handle field values. 11 | # 12 | # Each stanza controls different search commands settings. 13 | # 14 | # There is a fields.conf file in the $SPLUNK_HOME/etc/system/default/ directory. 15 | # Never change or copy the configuration files in the default directory. 16 | # The files in the default directory must remain intact and in their original 17 | # location. 18 | # 19 | # To set custom configurations, create a new file with the name fields.conf in 20 | # the $SPLUNK_HOME/etc/system/local/ directory. Then add the specific settings 21 | # that you want to customize to the local configuration file. 22 | # For examples, see fields.conf.example. 23 | # You must restart the Splunk instance to enable configuration changes. 24 | # 25 | # To learn more about configuration files (including file precedence) see the 26 | # documentation located at 27 | # http://docs.splunk.com/Documentation/Splunk/latest/Admin/Aboutconfigurationfiles 28 | # 29 | ############################################################################ 30 | # GLOBAL SETTINGS 31 | ############################################################################ 32 | # 33 | # Use the [default] stanza to define any global settings. 34 | # * You can also define global settings outside of any stanza, at the top of 35 | # the file. 36 | # * Each conf file should have at most one default stanza. If there are 37 | # multiple default stanzas, attributes are combined. In the case of 38 | # multiple definitions of the same attribute, the last definition in the 39 | # file wins. 40 | # * If an attribute is defined at both the global level and in a specific 41 | # stanza, the value in the specific stanza takes precedence. 42 | 43 | [|sourcetype::::] 44 | * The name of the field that you are configuring. This can be a simple field name, 45 | or it can be a wildcard expression that is scoped to a source type. 46 | * Field names can contain only "a-z", "A-Z", "0-9", "." , ":", and "_". They 47 | cannot begin with a number or "_". 48 | Field names cannot begin with a number "0-9" or an underscore "_". 49 | * Wildcard expressions have the same limitations as field names, but they can 50 | also contain and/or start with a *. 51 | * Do not create indexed fields with names that collide with names of fields 52 | that are extracted at search time. 53 | * A source-type-scoped wildcard expression causes all indexed fields that match 54 | the wildcard expression to be scoped with the specified source type. 55 | * Apply source-type-scoped wildcard expressions to all fields associated with 56 | structured data source types, such as JSON-formatted data. Do not apply it 57 | to mixed datatypes that contain both structured and unstructured data. 58 | * When you apply this method to structured data fields, searches against 59 | those fields should complete faster. 60 | * Example: '[sourcetype::splunk_resource_usage::data*]' defines all fields 61 | starting with "data" as indexed fields for 62 | 'sourcetype=splunk_resource_usage'. 63 | * The Splunk software processes source-type-scoped wildcard expressions 64 | before it processes source type aliases. 65 | * Source-type-scoped wildcard expressions require 66 | 'indexed_fields_expansion = t' in limits.conf. 67 | * Follow the stanza name with any number of the following attribute/value 68 | pairs. 69 | 70 | # 'TOKENIZER' enables you to indicate that a field value is a smaller part of a 71 | # token. For example, your raw event has a field with the value "abc123", but 72 | # you need this field to to be a multivalue field with both "abc" and “123" as 73 | # values. 74 | TOKENIZER = 75 | * A regular expression that indicates how the field can take on multiple values 76 | at the same time. 77 | * Use this setting to configure multivalue fields. Refer to the online 78 | documentation for multivalue fields. 79 | * If empty, the field can only take on a single value. 80 | * Otherwise, the first group is taken from each match to form the set of 81 | values. 82 | * This setting is used by the "search" and "where" commands, the summary and 83 | XML outputs of the asynchronous search API, and by the "top", "timeline", and 84 | "stats" commands. 85 | * Tokenization of indexed fields is not supported. If "INDEXED = true", 86 | the tokenizer attribute will be ignored. 87 | * No default. 88 | 89 | INDEXED = 90 | * Indicates whether a field is created at index time or search time. 91 | * Set to "true" if the field is created at index time. 92 | * Set to "false" for fields extracted at search time. This accounts for the 93 | majority of fields. 94 | * Default: false 95 | 96 | INDEXED_VALUE = [true|false||] 97 | * Set to "true" if the value is in the raw text of the event. 98 | * Set to "false" if the value is not in the raw text of the event. 99 | * Setting this to "true" expands any search for "key=value" 100 | into a search for value AND key=value 101 | since value is indexed. 102 | * For advanced customization, this setting supports sed style substitution. 103 | For example, 'INDEXED_VALUE=s/foo/bar/g' 104 | takes the value of the field, replaces all instances of 'foo' with 'bar,' 105 | and uses that new value as the value to search in the index. 106 | * This setting also supports a simple substitution based on looking for the 107 | literal string '' (including the '<' and '>' characters). 108 | For example, 'INDEXED_VALUE=source::**' 109 | takes a search for 'myfield=myvalue' 110 | and searches for 'source::*myvalue*' 111 | in the index as a single term. 112 | * For both substitution constructs, if the resulting string starts with a '[', 113 | Splunk interprets the string as a Splunk LISPY expression. For example, 114 | 'INDEXED_VALUE=[OR source::*]' 115 | turns 'myfield=myvalue' 116 | into applying the LISPY expression '[OR myvalue source::*myvalue]' 117 | (meaning it matches either 'myvalue' or 'source::*myvalue' terms). 118 | * NOTE: You only need to set 'indexed_value' if "indexed = false". 119 | * Default: true 120 | -------------------------------------------------------------------------------- /metric_rollups.conf.spec: -------------------------------------------------------------------------------- 1 | # Version 10.0.2 2 | # 3 | # This file contains possible attribute/value pairs for rollup policy entries in 4 | # metric_rollups.conf. You can configure rollup policies by creating your own 5 | # metric_rollups.conf. 6 | # 7 | # There is a default metric_rollups.conf in $SPLUNK_HOME/etc/system/default. To 8 | # set custom configurations, place a metric_rollups.conf in 9 | # $SPLUNK_HOME/etc/system/local/. For examples, see 10 | # metric_rollups.conf.example. You must restart Splunk to enable configurations. 11 | # 12 | # To learn more about configuration files (including precedence) please see the 13 | # documentation located at 14 | # http://docs.splunk.com/Documentation/Splunk/latest/Admin/Aboutconfigurationfiles 15 | 16 | # GLOBAL SETTINGS 17 | # Use the [default] stanza to define any global settings. 18 | # * You can also define global settings outside of any stanza, at the top of 19 | # the file. 20 | # * Each conf file should have at most one default stanza. If there are 21 | # multiple default stanzas, attributes are combined. In the case of multiple 22 | # definitions of the same attribute, the last definition in the file wins. 23 | # * If an attribute is defined at both the global level and in a specific 24 | # stanza, the value in the specific stanza takes precedence. 25 | 26 | #******* 27 | # The possible attribute/value pairs for metric_rollups.conf are: 28 | #******* 29 | 30 | [index:] 31 | * Each metric_rollups.conf stanza defines the rollup summarization policy for a 32 | specific metric index. 33 | * A rollup policy can include multiple rollup summaries, each with a 34 | different rollup period. 35 | * Go to indexes.conf to find metric index configurations. Metric indexes have 36 | datatype=metric in their configurations. 37 | 38 | defaultAggregation = <'#' separated list of aggregation functions> 39 | * Required. The default aggregation function for the rollup policy. The Splunk 40 | software uses this aggregation function to generate the rollup summmary data 41 | points for all metrics in the source index with the exception of metrics that 42 | are identified by 'aggregation.' 43 | exclusion rules. 44 | * For example, if a rollup summary with a period of 1 hour has 45 | 'defaultAggregation = avg', each metric data point that it generates is the 46 | average of an hour of data points from the source metric. 47 | * Note that the 'perc' and 'upperperc' options require an integer. 48 | * Supported aggregation functions: [avg|count|max|median|min|perc|sum] 49 | * Default: avg 50 | 51 | dimensionList = 52 | * Optional. This setting provides a comma-separated list of dimensions. The 53 | dimensions must be present within the index to which the rollup policy 54 | applies. 55 | * This list corresponds to the `dimensionListType` setting, which determines 56 | whether this set of dimensions is included or excluded from the rollup 57 | metrics that are generated by the rollup summary. 58 | * Use the Metrics Catalog REST API endpoints to see the metrics and dimensions 59 | for a particular index. For more information see the REST API Reference 60 | Manual. 61 | * Default: not set 62 | 63 | dimensionListType = [excluded|included] 64 | * Optional. This setting determines whether the list of dimensions specified by 65 | the `dimensionList` setting is included or excluded from the rollup metrics 66 | that are generated by the rollup summaries in the rollup policy. 67 | * Select 'included' to indicate that the rollup metrics produced by the rollup 68 | policy will filter out all dimensions except the ones in the list. 69 | * Select 'excluded' to indicate that the rollup metrics produced by the rollup 70 | policy will include all available dimensions except the ones in the list. 71 | * Default: excluded 72 | 73 | metricList = 74 | * Optional. This setting provides a comma-separated list of metrics. 75 | * This list corresponds to the 'metricListType' setting. 76 | * The listed metrics must be present within the source metric index. 77 | * Use the Metrics Catalog REST API endpoints in conjunction with the 'rest' 78 | command to see the metrics that exist within a particular source index. See 79 | the REST API Reference Manual and the Search Reference for more information. 80 | * Default: not set 81 | 82 | metricListType = 83 | * Optional. This setting determines whether the list of metrics specified by 84 | the 'metricList' setting is included or excluded when the search head rolls 85 | metrics up to the rollup summaries. 86 | * Select "included" to have the search head roll up only the listed metrics. 87 | * Select "excluded" to have the search head roll up all available metrics in 88 | the source metric index except the listed metrics. 89 | * Default: excluded 90 | 91 | aggregation. = <'#' separated list of aggregation functions> 92 | * Optional. Sets an exclusion rule for a rollup policy. Use this setting to 93 | override the 'defaultAggregation' setting for a specific metric. 94 | * Create exclusion rules for metrics that require different aggregation 95 | functions than the majority of the metrics in a rollup policy. 96 | * A single rollup policy can have multiple exclusion rules. 97 | * Supported aggregation functions: [avg|count|max|median|min|perc|sum] 98 | * Default: no values 99 | 100 | rollup..span =