Edit your custom visualization app to render something here.
');
27 |
28 | // Initialization logic goes here
29 | },
30 |
31 | // Optionally implement to format data returned from search.
32 | // The returned object will be passed to updateView as 'data'
33 | formatData: function(data) {
34 |
35 | // Format data
36 |
37 | return data;
38 | },
39 |
40 | // Implement updateView to render a visualization.
41 | // 'data' will be the data object returned from formatData or from the search
42 | // 'config' will be the configuration property object
43 | updateView: function(data, config) {
44 |
45 | // Draw something here
46 |
47 | },
48 |
49 | // Search data params
50 | getInitialDataParams: function() {
51 | return ({
52 | outputMode: SplunkVisualizationBase.ROW_MAJOR_OUTPUT_MODE,
53 | count: 10000
54 | });
55 | },
56 |
57 | // Override to respond to re-sizing events
58 | reflow: function() {}
59 | });
60 | });
--------------------------------------------------------------------------------
/resources/projects/modviz/appserver/static/visualizations/standin/visualization.css:
--------------------------------------------------------------------------------
1 | /*
2 | * CSS rules for visualization.
3 | * Class namespacing is good practice.
4 | */
5 |
6 |
--------------------------------------------------------------------------------
/resources/projects/modviz/appserver/static/visualizations/standin/webpack.config.js:
--------------------------------------------------------------------------------
1 | var webpack = require('webpack');
2 | var path = require('path');
3 |
4 | module.exports = {
5 | entry: 'visualization_source',
6 | resolve: {
7 | root: [
8 | path.join(__dirname, 'src'),
9 | ]
10 | },
11 | output: {
12 | filename: 'visualization.js',
13 | libraryTarget: 'amd'
14 | },
15 | externals: [
16 | 'api/SplunkVisualizationBase',
17 | 'api/SplunkVisualizationUtils'
18 | ]
19 | };
--------------------------------------------------------------------------------
/resources/projects/modviz/default/app.conf:
--------------------------------------------------------------------------------
1 | #
2 | # Splunk app configuration file
3 | #
4 |
5 | [install]
6 | is_configured = 1
7 |
8 | [ui]
9 | is_visible = 1
10 | label = standin
11 |
12 | [launcher]
13 | author = author
14 | description = Custom visualization generated by Visual Studio Code
15 | version = 1.0
16 |
17 |
--------------------------------------------------------------------------------
/resources/projects/modviz/default/data/ui/nav/default.xml:
--------------------------------------------------------------------------------
1 |
5 |
--------------------------------------------------------------------------------
/resources/projects/modviz/default/data/ui/views/README:
--------------------------------------------------------------------------------
1 | Add all the views that your app needs in this directory
2 |
--------------------------------------------------------------------------------
/resources/projects/modviz/default/savedsearches.conf:
--------------------------------------------------------------------------------
1 | [default]
2 | # Set property defaults
--------------------------------------------------------------------------------
/resources/projects/modviz/default/visualizations.conf:
--------------------------------------------------------------------------------
1 | #
2 | # Declare shared visualizations
3 | #
4 |
5 | [standin]
6 | label = Standin Viz
7 | description = This is a stand-in visualization.
--------------------------------------------------------------------------------
/resources/projects/modviz/metadata/default.meta:
--------------------------------------------------------------------------------
1 |
2 | # Application-level permissions
3 |
4 | []
5 | access = read : [ * ], write : [ admin, power ]
6 |
7 | ### EVENT TYPES
8 |
9 | [eventtypes]
10 | export = system
11 |
12 |
13 | ### PROPS
14 |
15 | [props]
16 | export = system
17 |
18 |
19 | ### TRANSFORMS
20 |
21 | [transforms]
22 | export = system
23 |
24 |
25 | ### LOOKUPS
26 |
27 | [lookups]
28 | export = system
29 |
30 |
31 | ### VIEWSTATES: even normal users should be able to create shared viewstates
32 |
33 | [viewstates]
34 | access = read : [ * ], write : [ * ]
35 | export = system
36 |
37 | ### Visualizations
38 |
39 | # Un-comment the stanza below to make the standin visualization available to all apps.
40 | # [visualizations/standin]
41 | # export = system
--------------------------------------------------------------------------------
/resources/projects/resthandler_template/README.md:
--------------------------------------------------------------------------------
1 | CREATE:
2 | `curl -k -u : -X POST https://:8089/servicesNS/nobody/example_rest/example_eai_handler -d name=new -d custom_parameter=`
3 |
4 | GET:
5 | `curl -k -u : https://:8089/servicesNS/nobody/example_rest/example_eai_handler/`
6 | OR
7 | `| rest /servicesNS/nobody/example_rest/example_eai_handler/new`
8 |
9 | LIST:
10 | `curl -k -u : https://:8089/servicesNS/nobody/example_rest/example_eai_handler`
11 | OR
12 | `| rest /servicesNS/nobody/example_rest/example_eai_handler`
13 |
14 | EDIT:
15 | `curl -k -u : -X POST https://:8089/servicesNS/nobody/example_rest/example_eai_handler/ -d custom_parameter=`
16 |
17 | DELETE:
18 | `curl -k -u : -X DELETE https://:8089/servicesNS/nobody/example_rest/example_eai_handler/`
--------------------------------------------------------------------------------
/resources/projects/resthandler_template/README/example_eai_handler.conf.spec:
--------------------------------------------------------------------------------
1 | custom_parameter =
2 | * A custom string accessible as a conf stanza parameter through a custom rest handler
--------------------------------------------------------------------------------
/resources/projects/resthandler_template/bin/example_eai_handler_schema.py:
--------------------------------------------------------------------------------
1 | from schema import Schema, And
2 |
3 | # The schema validation is provided by the Schema library documented here: https://pypi.org/project/schema/
4 | example_schema = Schema({
5 | 'name': And(str, len, error='Invalid name value'),
6 | 'custom_parameter': And(str, len, error='Invalid custom_parameter value'),
7 | })
8 |
9 | CONF_FIELDS = ['name', 'custom_parameter']
10 |
11 | # Supported POST request arguments -- removes name for Splunk API expectations
12 | ALL_FIELDS = list(set(CONF_FIELDS) - set(['name']))
--------------------------------------------------------------------------------
/resources/projects/resthandler_template/bin/log_helper.py:
--------------------------------------------------------------------------------
1 | import logging
2 | import logging.handlers
3 | import os
4 |
5 | def setup(level, name, file_name, use_rotating_handler=True):
6 | """
7 | Setup a logger for the REST handler.
8 |
9 | Arguments:
10 | level -- The logging level to use
11 | name -- The name of the logger to use
12 | file_name -- The file name to log to
13 | use_rotating_handler -- Indicates whether a rotating file handler ought to be used
14 | """
15 |
16 | logger = logging.getLogger(name)
17 | logger.propagate = False # Prevent the log messages from being duplicated in the python.log file
18 | logger.setLevel(level)
19 | log_file_path = os.path.join(os.environ['SPLUNK_HOME'], 'var', 'log', 'splunk', file_name)
20 | if use_rotating_handler:
21 | file_handler = logging.handlers.RotatingFileHandler(log_file_path, maxBytes=25000000, backupCount=5)
22 | else:
23 | file_handler = logging.FileHandler(log_file_path)
24 | formatter = logging.Formatter('%(created)f %(levelname)s :%(lineno)d %(message)s')
25 | file_handler.setFormatter(formatter)
26 | logger.addHandler(file_handler)
27 | return logger
28 |
--------------------------------------------------------------------------------
/resources/projects/resthandler_template/bin/schema.LICENSE-MIT:
--------------------------------------------------------------------------------
1 | Copyright (c) 2012 Vladimir Keleshev,
2 |
3 | Permission is hereby granted, free of charge, to any person obtaining a copy of
4 | this software and associated documentation files (the "Software"), to deal in
5 | the Software without restriction, including without limitation the rights to
6 | use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies
7 | of the Software, and to permit persons to whom the Software is furnished to do
8 | so, subject to the following conditions:
9 |
10 | The above copyright notice and this permission notice shall be included in all
11 | copies or substantial portions of the Software.
12 |
13 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
14 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
15 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
16 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
17 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
18 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
19 | SOFTWARE.
20 |
--------------------------------------------------------------------------------
/resources/projects/resthandler_template/default/app.conf:
--------------------------------------------------------------------------------
1 | # Splunk app configuration file
2 |
3 | [ui]
4 | label = Custom REST handler
5 | is_visible = 1
6 |
7 | [launcher]
8 | description = Custom REST handler by Visual Studio Code
9 | author = author
10 | version = 0.0.1
11 |
12 | [install]
13 | is_configured = 0
--------------------------------------------------------------------------------
/resources/projects/resthandler_template/default/restmap.conf:
--------------------------------------------------------------------------------
1 | [admin:example_eai_handler_manager]
2 | match = /
3 | members = example_eai_handler
4 |
5 | [admin_external:example_eai_handler]
6 | handlertype = python
7 | handlerfile = example_eai_handler.py
8 | handleractions = list,edit,create,remove,_reload
9 | handlerpersistentmode = true
--------------------------------------------------------------------------------
/resources/projects/resthandler_template/default/web.conf:
--------------------------------------------------------------------------------
1 | [expose:example_eai_handler]
2 | methods = POST,GET,DELETE
3 | pattern = example_eai_handler
4 |
5 | [expose:example_eai_handler_specify]
6 | methods = POST,GET,DELETE
7 | pattern = eexample_eai_handler/*
8 |
--------------------------------------------------------------------------------
/resources/projects/searchcommands_template/bin/filter.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 |
3 | import sys
4 | import os
5 |
6 | sys.path.insert(0, os.path.join(os.path.dirname(__file__), "..", "lib"))
7 | from splunklib.searchcommands import \
8 | dispatch, StreamingCommand, Configuration, Option, validators
9 |
10 |
11 | @Configuration()
12 | class %(command.title())Command(EventingCommand):
13 | """ %(synopsis)
14 |
15 | ##Syntax
16 |
17 | %(syntax)
18 |
19 | ##Description
20 |
21 | %(description)
22 |
23 | """
24 | def transform(self, events):
25 | # Put your event transformation code here
26 | pass
27 |
28 | dispatch(%(command.title())Command, sys.argv, sys.stdin, sys.stdout, __name__)
29 |
--------------------------------------------------------------------------------
/resources/projects/searchcommands_template/bin/generate.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 |
3 | import sys
4 | import os
5 |
6 | sys.path.insert(0, os.path.join(os.path.dirname(__file__), "..", "lib"))
7 | from splunklib.searchcommands import \
8 | dispatch, GeneratingCommand, Configuration, Option, validators
9 |
10 | @Configuration()
11 | class %(command.title())Command(GeneratingCommand):
12 | """ %(synopsis)
13 |
14 | ##Syntax
15 |
16 | %(syntax)
17 |
18 | ##Description
19 |
20 | %(description)
21 |
22 | """
23 | def generate(self):
24 | # Put your event code here
25 | pass
26 |
27 | dispatch(%(command.title())Command, sys.argv, sys.stdin, sys.stdout, __name__)
28 |
--------------------------------------------------------------------------------
/resources/projects/searchcommands_template/bin/report.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 |
3 | import sys
4 | import os
5 |
6 | sys.path.insert(0, os.path.join(os.path.dirname(__file__), "..", "lib"))
7 | from splunklib.searchcommands import \
8 | dispatch, ReportingCommand, Configuration, Option, validators
9 |
10 |
11 | @Configuration()
12 | class %(command.title())Command(ReportingCommand):
13 | """ %(synopsis)
14 |
15 | ##Syntax
16 |
17 | %(syntax)
18 |
19 | ##Description
20 |
21 | %(description)
22 |
23 | """
24 | @Configuration()
25 | def map(self, events):
26 | # Put your streaming preop implementation here, or remove the map method,
27 | # if you have no need for a streaming preop
28 | pass
29 |
30 | def reduce(self, events):
31 | # Put your reporting implementation
32 | pass
33 |
34 | dispatch(%(command.title())Command, sys.argv, sys.stdin, sys.stdout, __name__)
35 |
--------------------------------------------------------------------------------
/resources/projects/searchcommands_template/bin/stream.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 |
3 | import sys
4 | import os
5 |
6 | sys.path.insert(0, os.path.join(os.path.dirname(__file__), "..", "lib"))
7 | from splunklib.searchcommands import \
8 | dispatch, StreamingCommand, Configuration, Option, validators
9 |
10 |
11 | @Configuration()
12 | class %(command.title())Command(StreamingCommand):
13 | """ %(synopsis)
14 |
15 | ##Syntax
16 |
17 | %(syntax)
18 |
19 | ##Description
20 |
21 | %(description)
22 |
23 | """
24 | def stream(self, events):
25 | # Put your event transformation code here
26 | pass
27 |
28 | dispatch(%(command.title())Command, sys.argv, sys.stdin, sys.stdout, __name__)
29 |
--------------------------------------------------------------------------------
/resources/projects/searchcommands_template/default/app.conf:
--------------------------------------------------------------------------------
1 | # Splunk app configuration file
2 |
3 | [ui]
4 | label = standin
5 | is_visible = 1
6 |
7 | [package]
8 | id = standin
9 |
10 | [launcher]
11 | description = Custom command created by Visual Studio Code
12 | author = author
13 | version = 0.0.1
14 |
15 | [install]
16 | is_configured = 0
17 |
--------------------------------------------------------------------------------
/resources/projects/searchcommands_template/default/commands-scpv1.conf:
--------------------------------------------------------------------------------
1 | # [commands.conf]($SPLUNK_HOME/etc/system/README/commands.conf.spec)
2 | # Configuration for Search Commands Protocol version 1
3 |
4 | [%(command.lower()]
5 | filename = %(command.lower()).py
6 | enableheader = true
7 | outputheader = true
8 | requires_srinfo = true
9 | stderr_dest = message
10 | supports_getinfo = true
11 | supports_rawargs = true
12 | supports_multivalues = true
13 |
--------------------------------------------------------------------------------
/resources/projects/searchcommands_template/default/commands-scpv2.conf:
--------------------------------------------------------------------------------
1 | # [commands.conf]($SPLUNK_HOME/etc/system/README/commands.conf.spec)
2 | # Configuration for Search Commands Protocol version 2
3 |
4 | [%(command.lower()]
5 | filename = %(command.lower()).py
6 | chunked = true
7 |
--------------------------------------------------------------------------------
/resources/projects/searchcommands_template/default/commands.conf:
--------------------------------------------------------------------------------
1 | # [commands.conf]($SPLUNK_HOME/etc/system/README/commands.conf.spec)
2 | # Configured for Search Command Protocol version 1 by default
3 | # Replace the contents of this file with commands-scpv2.conf to enable Search Command Protocol version 2
4 |
5 | # [%(command.lower()]
6 | # filename = %(command.lower()).py
7 | # enableheader = true
8 | # outputheader = true
9 | # requires_srinfo = true
10 | # stderr_dest = message
11 | # supports_getinfo = true
12 | # supports_rawargs = true
13 | # supports_multivalues = true
14 |
--------------------------------------------------------------------------------
/resources/projects/searchcommands_template/default/data/ui/nav/default.xml:
--------------------------------------------------------------------------------
1 |
19 |
--------------------------------------------------------------------------------
/resources/projects/searchcommands_template/default/searchbnf.conf:
--------------------------------------------------------------------------------
1 | # [searchbnf.conf](http://docs.splunk.com/Documentation/Splunk/latest/Admin/Searchbnfconf)
2 |
3 | # [foo-command]
4 | # syntax = [foo]
5 | # shortdesc = [a brief description of your command]
6 | # usage = public
--------------------------------------------------------------------------------
/resources/projects/searchcommands_template/lib/splunklib/__init__.py:
--------------------------------------------------------------------------------
1 | # Copyright 2011-2015 Splunk, Inc.
2 | #
3 | # Licensed under the Apache License, Version 2.0 (the "License"): you may
4 | # not use this file except in compliance with the License. You may obtain
5 | # a copy of the License at
6 | #
7 | # http://www.apache.org/licenses/LICENSE-2.0
8 | #
9 | # Unless required by applicable law or agreed to in writing, software
10 | # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
11 | # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
12 | # License for the specific language governing permissions and limitations
13 | # under the License.
14 |
15 | """Python library for Splunk."""
16 |
17 | from __future__ import absolute_import
18 | from splunklib.six.moves import map
19 | __version_info__ = (1, 6, 6)
20 | __version__ = ".".join(map(str, __version_info__))
21 |
--------------------------------------------------------------------------------
/resources/projects/searchcommands_template/metadata/default.meta:
--------------------------------------------------------------------------------
1 | []
2 | access = read: [ * ], write : [ admin ]
3 |
4 | [searchbnf]
5 | export = system
--------------------------------------------------------------------------------
/snippets/restmap.conf:
--------------------------------------------------------------------------------
1 | {
2 | "admin-external": {
3 | "description": "Generate restmap.conf admin_external stanza",
4 | "prefix": "admin_external",
5 | "body": [
6 | "[admin_external:${1:uniqueName}]",
7 | "handlertype = python",
8 | "python.version = ${2|python3,default,python,python2|}",
9 | "handlerfile = ${1:uniqueName}_rh.py",
10 | "handleractions = edit, list, remove, create",
11 | "handlerpersistentmode = ${3|true,false|}"
12 | ]
13 | }
14 | }
--------------------------------------------------------------------------------
/spec_files/7.3/audit.conf.spec:
--------------------------------------------------------------------------------
1 | # Version 7.3.0
2 | #
3 | # This file contains possible attributes and values you can use to configure
4 | # auditing and event signing in audit.conf.
5 | #
6 | # There is NO DEFAULT audit.conf. To set custom configurations, place an
7 | # audit.conf in $SPLUNK_HOME/etc/system/local/. For examples, see
8 | # audit.conf.example. You must restart Splunk to enable configurations.
9 | #
10 | # To learn more about configuration files (including precedence) please see the
11 | # documentation located at
12 | # http://docs.splunk.com/Documentation/Splunk/latest/Admin/Aboutconfigurationfiles
13 |
14 | # GLOBAL SETTINGS
15 | # Use the [default] stanza to define any global settings.
16 | # * You can also define global settings outside of any stanza, at the top of the file.
17 | # * Each conf file should have at most one default stanza. If there are
18 | # multiple default stanzas, attributes are combined. In the case of multiple
19 | # definitions of the same attribute, the last definition in the file wins.
20 | # * If an attribute is defined at both the global level and in a specific
21 | # stanza, the value in the specific stanza takes precedence.
22 |
23 | #########################################################################################
24 | # KEYS: specify your public and private keys for encryption.
25 | #########################################################################################
26 |
27 | queueing=[true|false]
28 | * Turn off sending audit events to the indexQueue -- tail the audit events
29 | instead.
30 | * If this is set to 'false', you MUST add an inputs.conf stanza to tail the
31 | audit log in order to have the events reach your index.
32 | * Defaults to true.
33 |
--------------------------------------------------------------------------------
/spec_files/7.3/datatypesbnf.conf.spec:
--------------------------------------------------------------------------------
1 | # Version 7.3.0
2 | #
3 | # This file effects how the search assistant (typeahead) shows the syntax for
4 | # search commands
5 |
6 | []
7 | * The name of the syntax type you're configuring.
8 | * Follow this field name with one syntax= definition.
9 | * Syntax type can only contain a-z, and -, but cannot begin with -
10 |
11 | syntax =
12 | * The syntax for you syntax type.
13 | * Should correspond to a regular expression describing the term.
14 | * Can also be a or other similar value.
15 |
--------------------------------------------------------------------------------
/spec_files/7.3/deployment.conf.spec:
--------------------------------------------------------------------------------
1 | # Version 7.3.0
2 | #
3 | # *** REMOVED; NO LONGER USED ***
4 | #
5 | #
6 | # This configuration file has been replaced by:
7 | # 1.) deploymentclient.conf - for configuring Deployment Clients.
8 | # 2.) serverclass.conf - for Deployment Server server class configuration.
9 | #
10 | #
11 | # Compatibility:
12 | # Splunk 4.x Deployment Server is NOT compatible with Splunk 3.x Deployment Clients.
13 | #
14 |
--------------------------------------------------------------------------------
/spec_files/7.3/federated.conf.spec:
--------------------------------------------------------------------------------
1 | # Version 7.3.0
2 | #
3 | # This file contains possible setting and value pairs for federated provider entries
4 | # for use in Data Fabric Search (DFS), when the federated search functionality is
5 | # enabled.
6 | #
7 | # A federated search allows authorized users to run searches across multiple federated
8 | # providers. Only Splunk deployments are supported as federated providers. Information
9 | # on the Splunk deployment (i.e. the federated provider) is added in the federated
10 | # provider stanza of the federated.conf file. A federated search deployment can have
11 | # multiple federated search datasets. The settings for federated search dataset stanzas
12 | # are located in savedsearches.conf.
13 | #
14 | # To learn more about configuration files (including precedence) please see the
15 | # documentation located at
16 | # http://docs.splunk.com/Documentation/Splunk/latest/Admin/Aboutconfigurationfiles
17 | #
18 | # Here are the settings for the federated provider stanzas.
19 |
20 | []
21 | * Create a unique stanza name for each federated provider.
22 |
23 | type = [splunk]
24 | * Specifies the type of the federated provider.
25 | * Only Splunk deployments are supported as of this revision.
26 | * Default: splunk
27 |
28 | ip =
29 | * Identifies the IP address of the federated provider.
30 | * Default: No default.
31 |
32 | splunk.port =
33 | * Identifies the splunkd REST port on the remote Splunk deployment.
34 | * Default: No default.
35 |
36 | splunk.serviceAccount =
37 | * Identifies an authorized user on the remote Splunk deployment.
38 | * The security credentials associated with this account are managed securely in
39 | fshpasswords.conf.
40 | * Default: No default.
41 |
42 | splunk.app =
43 | * The name of the Splunk application on the remote Splunk deployment in which
44 | * to perform the search.
45 | * Default: No default.
46 |
--------------------------------------------------------------------------------
/spec_files/7.3/fshpasswords.conf.spec:
--------------------------------------------------------------------------------
1 | # Version 7.3.0
2 | #
3 | # This file maintains the credential information associated with a federated provider.
4 | #
5 | # There is no global, default fshpasswords.conf. Instead, anytime a user creates
6 | # a new user or edit a user assocated with a federated provider onwards hitting
7 | # the fsh storage endpoint will create this fshpasswords.conf file.
8 | #
9 | # To learn more about configuration files (including precedence) please see the
10 | # documentation located at
11 | # http://docs.splunk.com/Documentation/Splunk/latest/Admin/Aboutconfigurationfiles
12 |
13 |
14 | [credential:::]
15 | password =
16 | * Password that corresponds to the service account for the given federated provider.
17 | * The password can be in clear text, however when saved from splunkd the
18 | password will always be encrypted
19 |
--------------------------------------------------------------------------------
/spec_files/7.3/literals.conf.spec:
--------------------------------------------------------------------------------
1 | # Version 7.3.0
2 | #
3 | # This file and all forms of literals.conf are now deprecated.
4 | # Instead, use the messages.conf file which is documented
5 | # at "Customize Splunk Web messages" in the Splunk documentation.
6 |
--------------------------------------------------------------------------------
/spec_files/7.3/migration.conf.spec:
--------------------------------------------------------------------------------
1 | # Version 7.3.0
2 | #
3 | # This file maintains the migration status in Splunk Enterprise.
4 | #
5 | # Splunk Enterprise automatically generates the configurations in
6 | # this file during a migration.
7 | # Do not edit any configurations in this file unless instructed to by
8 | # Splunk support.
9 | #
10 | # There is no global, default migration.conf. When migrating between certain
11 | # versions of Splunk Enterprise, Splunk will perform migration actions that
12 | # must only be executed once. To ensure these actions are not performed during
13 | # any subsequent migration, Splunk will create a migration.conf to record
14 | # whether or not particular migration actions have taken place.
15 | #
16 | # To learn more about configuration files (including precedence) please see the
17 | # documentation located at
18 | # http://docs.splunk.com/Documentation/Splunk/latest/Admin/Aboutconfigurationfiles
19 |
--------------------------------------------------------------------------------
/spec_files/7.3/passwords.conf.spec:
--------------------------------------------------------------------------------
1 | # Version 7.3.0
2 | #
3 | # This file maintains the credential information for a given app in Splunk Enterprise.
4 | #
5 | # There is no global, default passwords.conf. Instead, anytime a user creates
6 | # a new user or edit a user onwards hitting the storage endpoint
7 | # will create this passwords.conf file which gets replicated
8 | # in a search head clustering enviornment.
9 | # Note that passwords.conf is only created from 6.3.0 release.
10 | #
11 | # You must restart Splunk Enterprise to reload manual changes to passwords.conf.
12 | #
13 | # To learn more about configuration files (including precedence) please see the
14 | # documentation located at
15 | # http://docs.splunk.com/Documentation/Splunk/latest/Admin/Aboutconfigurationfiles
16 | # More details for storage endpoint is at
17 | # http://blogs.splunk.com/2011/03/15/storing-encrypted-credentials/
18 |
19 |
20 | [credential:::]
21 | password =
22 | * Password that corresponds to the given username for the given realm.
23 | Note that realm is optional
24 | * The password can be in clear text, however when saved from splunkd the
25 | password will always be encrypted
26 |
--------------------------------------------------------------------------------
/spec_files/7.3/procmon-filters.conf.spec:
--------------------------------------------------------------------------------
1 | # Version 7.3.0
2 | #
3 | # *** DEPRECATED ***
4 | #
5 | #
6 | # This file contains potential attribute/value pairs to use when configuring
7 | # Windows registry monitoring. The procmon-filters.conf file contains the
8 | # regular expressions you create to refine and filter the processes you want
9 | # Splunk to monitor. You must restart Splunk to enable configurations.
10 | #
11 | # To learn more about configuration files (including precedence) please see the
12 | # documentation located at
13 | # http://docs.splunk.com/Documentation/Splunk/latest/Admin/Aboutconfigurationfiles
14 |
15 | #### find out if this file is still being used.
16 |
17 | []
18 | * Name of the filter being defined.
19 |
20 | proc =
21 | * Regex specifying process image that you want Splunk to monitor.
22 |
23 | type =
24 | * Regex specifying the type(s) of process event that you want Splunk to
25 | monitor.
26 |
27 | hive =
28 | * Not used in this context, but should always have value ".*"
29 |
--------------------------------------------------------------------------------
/spec_files/7.3/source-classifier.conf.spec:
--------------------------------------------------------------------------------
1 | # Version 7.3.0
2 | #
3 | # This file contains all possible options for configuring settings for the
4 | # file classifier in source-classifier.conf.
5 | #
6 | # There is a source-classifier.conf in $SPLUNK_HOME/etc/system/default/ To
7 | # set custom configurations, place a source-classifier.conf in
8 | # $SPLUNK_HOME/etc/system/local/. For examples, see
9 | # source-classifier.conf.example. You must restart Splunk to enable
10 | # configurations.
11 | #
12 | # To learn more about configuration files (including precedence) please see
13 | # the documentation located at
14 | # http://docs.splunk.com/Documentation/Splunk/latest/Admin/Aboutconfigurationfiles
15 |
16 |
17 | ignored_model_keywords =
18 | * Terms to ignore when generating a sourcetype model.
19 | * To prevent sourcetype "bundles/learned/*-model.xml" files from containing
20 | sensitive terms (e.g. "bobslaptop") that occur very frequently in your
21 | data files, add those terms to ignored_model_keywords.
22 |
23 | ignored_filename_keywords =
24 | * Terms to ignore when comparing a new sourcename against a known
25 | sourcename, for the purpose of classifying a source.
26 |
27 |
--------------------------------------------------------------------------------
/spec_files/7.3/sourcetypes.conf.spec:
--------------------------------------------------------------------------------
1 | # Version 7.3.0
2 | #
3 | # NOTE: sourcetypes.conf is a machine-generated file that stores the document
4 | # models used by the file classifier for creating source types.
5 |
6 | # Generally, you should not edit sourcetypes.conf, as most attributes are
7 | # machine generated. However, there are two attributes which you can change.
8 | #
9 | # There is a sourcetypes.conf in $SPLUNK_HOME/etc/system/default/ To set custom
10 | # configurations, place a sourcetypes..conf in $SPLUNK_HOME/etc/system/local/.
11 | # For examples, see sourcetypes.conf.example. You must restart Splunk to enable
12 | # configurations.
13 | #
14 | # To learn more about configuration files (including precedence) please see the
15 | # documentation located at
16 | # http://docs.splunk.com/Documentation/Splunk/latest/Admin/Aboutconfigurationfiles
17 |
18 | # GLOBAL SETTINGS
19 | # Use the [default] stanza to define any global settings.
20 | # * You can also define global settings outside of any stanza, at the top of
21 | # the file.
22 | # * Each conf file should have at most one default stanza. If there are
23 | # multiple default stanzas, attributes are combined. In the case of
24 | # multiple definitions of the same attribute, the last definition in the
25 | # file wins.
26 | # * If an attribute is defined at both the global level and in a specific
27 | # stanza, the value in the specific stanza takes precedence.
28 |
29 |
30 | _sourcetype =
31 | * Specifies the sourcetype for the model.
32 | * Change this to change the model's sourcetype.
33 | * Future sources that match the model will receive a sourcetype of this new
34 | name.
35 |
36 |
37 | _source =
38 | * Specifies the source (filename) for the model.
39 |
--------------------------------------------------------------------------------
/spec_files/7.3/tags.conf.spec:
--------------------------------------------------------------------------------
1 | # Version 7.3.0
2 | #
3 | # This file contains possible attribute/value pairs for configuring tags. Set
4 | # any number of tags for indexed or extracted fields.
5 | #
6 | # There is no tags.conf in $SPLUNK_HOME/etc/system/default/. To set custom
7 | # configurations, place a tags.conf in $SPLUNK_HOME/etc/system/local/. For
8 | # help, see tags.conf.example. You must restart Splunk to enable
9 | # configurations.
10 | #
11 | # To learn more about configuration files (including precedence) please see the
12 | # documentation located at
13 | # http://docs.splunk.com/Documentation/Splunk/latest/Admin/Aboutconfigurationfiles
14 |
15 | [=]
16 | * The field name and value to which the tags in the stanza
17 | apply ( eg host=localhost ).
18 | * A tags.conf file can contain multiple stanzas. It is recommended that the
19 | value be URL encoded to avoid
20 | * config file parsing errors especially if the field value contains the
21 | following characters: \n, =, []
22 | * Each stanza can refer to only one field=value
23 |
24 | =
25 | =
26 | =
27 | * Set whether each for this specific is enabled or
28 | disabled.
29 | * While you can have multiple tags in a stanza (meaning that multiple tags are
30 | assigned to the same field/value combination), only one tag is allowed per
31 | stanza line. In other words, you can't have a list of tags on one line of the
32 | stanza.
33 |
34 | * WARNING: Do not quote the value: foo=enabled, not "foo"=enabled.
35 |
--------------------------------------------------------------------------------
/spec_files/7.3/user-seed.conf.spec:
--------------------------------------------------------------------------------
1 | # Version 7.3.0
2 | #
3 | # Specification for user-seed.conf. Allows configuration of Splunk's
4 | # initial username and password. Currently, only one user can be configured
5 | # with user-seed.conf.
6 | #
7 | # Specification for user-seed.conf. Allows configuration of Splunk's initial username and password.
8 | # Currently, only one user can be configured with user-seed.conf.
9 | #
10 | # To set the default username and password, place user-seed.conf in
11 | # $SPLUNK_HOME/etc/system/local. You must restart Splunk to enable configurations.
12 | # If the $SPLUNK_HOME/etc/passwd file is present, the settings in this file (user-seed.conf) are not used.
13 | #
14 | # Use HASHED_PASSWORD for a more secure installation. To hash a clear-text password,
15 | # use the 'splunk hash-passwd' command then copy the output to this file.
16 | #
17 | # If a clear text password is set (not recommended) and last character is '\', it should
18 | # be followed by a space for value to be read correctly. Password does not include extra
19 | # space at the end, it is required to ignore the special meaning of backslash in conf file.
20 | #
21 | # http://docs.splunk.com/Documentation/Splunk/latest/Admin/Aboutconfigurationfiles
22 | # To learn more about configuration files (including precedence) please see the documentation
23 | # located at http://docs.splunk.com/Documentation/Splunk/latest/Admin/Aboutconfigurationfiles
24 |
25 | [user_info]
26 | * Default is Admin.
27 |
28 | USERNAME =
29 | * Username you want to associate with a password.
30 | * Default is Admin.
31 |
32 | PASSWORD =
33 | * Password you wish to set for that user.
34 | * Password must meet complexity requirements.
35 |
36 | HASHED_PASSWORD =
37 | * Password hash you wish to set for that user.
38 |
--------------------------------------------------------------------------------
/spec_files/7.3/viewstates.conf.spec:
--------------------------------------------------------------------------------
1 | # Version 7.3.0
2 | #
3 | # This file explains how to format viewstates.
4 | #
5 | # To use this configuration, copy the configuration block into
6 | # viewstates.conf in $SPLUNK_HOME/etc/system/local/. You must restart Splunk
7 | # to enable configurations.
8 | #
9 | # To learn more about configuration files (including precedence) please see
10 | # the documentation located at
11 | # http://docs.splunk.com/Documentation/Splunk/latest/Admin/Aboutconfigurationfiles
12 |
13 | # GLOBAL SETTINGS
14 | # Use the [default] stanza to define any global settings.
15 | # * You can also define global settings outside of any stanza, at the top
16 | # of the file.
17 | # * Each conf file should have at most one default stanza. If there are
18 | # multiple default stanzas, attributes are combined. In the case of
19 | # multiple definitions of the same attribute, the last definition in the
20 | # file wins.
21 | # * If an attribute is defined at both the global level and in a specific
22 | # stanza, the value in the specific stanza takes precedence.
23 |
24 |
25 | [:]
26 | * Auto-generated persistence stanza label that corresponds to UI views
27 | * The is the URI name (not label) of the view to persist
28 | * if = "*", then this viewstate is considered to be 'global'
29 | * The is the unique identifier assigned to this set of
30 | parameters
31 | * = '_current' is a reserved name for normal view
32 | 'sticky state'
33 | * = '_empty' is a reserved name for no persistence,
34 | i.e., all defaults
35 |
36 | . =
37 | * The is the runtime id of the UI module requesting persistence
38 | * The is the setting designated by to persist
39 |
--------------------------------------------------------------------------------
/spec_files/8.0/audit.conf.spec:
--------------------------------------------------------------------------------
1 | # Version 8.0.0
2 | #
3 | # This file contains possible attributes and values you can use to configure
4 | # auditing and event signing in audit.conf.
5 | #
6 | # There is NO DEFAULT audit.conf. To set custom configurations, place an
7 | # audit.conf in $SPLUNK_HOME/etc/system/local/. For examples, see
8 | # audit.conf.example. You must restart Splunk to enable configurations.
9 | #
10 | # To learn more about configuration files (including precedence) please see the
11 | # documentation located at
12 | # http://docs.splunk.com/Documentation/Splunk/latest/Admin/Aboutconfigurationfiles
13 |
14 | # GLOBAL SETTINGS
15 | # Use the [default] stanza to define any global settings.
16 | # * You can also define global settings outside of any stanza, at the top of the file.
17 | # * Each conf file should have at most one default stanza. If there are
18 | # multiple default stanzas, attributes are combined. In the case of multiple
19 | # definitions of the same attribute, the last definition in the file wins.
20 | # * If an attribute is defined at both the global level and in a specific
21 | # stanza, the value in the specific stanza takes precedence.
22 |
23 | #########################################################################################
24 | # KEYS: specify your public and private keys for encryption.
25 | #########################################################################################
26 |
27 | queueing =
28 | * Whether or not audit events are sent to the indexQueue.
29 | * If set to "true", audit events are sent to the indexQueue.
30 | * If set to "false", you must add an inputs.conf stanza to tail the
31 | audit log for the events reach your index.
32 | * Default: true
33 |
--------------------------------------------------------------------------------
/spec_files/8.0/bookmarks.conf.spec:
--------------------------------------------------------------------------------
1 | # Version 8.0.0
2 | #
3 | # This file contains possible settings and values for configuring various
4 | # "bookmark" entries to be stored within a Splunk instance.
5 | #
6 | # To add custom bookmarks, place a bookmarks.conf file in
7 | # $SPLUNK_HOME/etc/system/local/ on the Splunk instance.
8 | # configuration content is deployed to a
9 | # given deployment client in serverclass.conf. Refer to
10 | #
11 | # To learn more about configuration files (including precedence), see the
12 | # documentation located at
13 | # http://docs.splunk.com/Documentation/Splunk/latest/Admin/Aboutconfigurationfiles
14 |
15 | [bookmarks_mc:*]
16 | url =
17 | * A bookmark URL that redirects logged-in administrators to other Monitoring
18 | Console instances that may be within their purview. Set this up if you have
19 | administrators who are responsible for the performance and uptime of multiple
20 | Splunk deployments.
21 | * The bookmark appears in the left pane of the Monitoring Console.
22 | * The URL must begin with http:// or https:// and contain 'splunk_monitoring_console'.
23 | * Default: not set
24 |
--------------------------------------------------------------------------------
/spec_files/8.0/datatypesbnf.conf.spec:
--------------------------------------------------------------------------------
1 | # Version 8.0.0
2 | #
3 | # This file effects how the search assistant (typeahead) shows the syntax for
4 | # search commands
5 |
6 | []
7 | * The name of the syntax type you're configuring.
8 | * Follow this field name with one syntax= definition.
9 | * Syntax type can only contain a-z, and -, but cannot begin with -
10 |
11 | syntax =
12 | * The syntax for you syntax type.
13 | * Should correspond to a regular expression describing the term.
14 | * Can also be a or other similar value.
15 |
--------------------------------------------------------------------------------
/spec_files/8.0/deployment.conf.spec:
--------------------------------------------------------------------------------
1 | # Version 8.0.0
2 | #
3 | # *** REMOVED; NO LONGER USED ***
4 | #
5 | #
6 | # This configuration file has been replaced by:
7 | # 1.) deploymentclient.conf - for configuring Deployment Clients.
8 | # 2.) serverclass.conf - for Deployment Server server class configuration.
9 | #
10 | #
11 | # Compatibility:
12 | # Splunk 4.x Deployment Server is NOT compatible with Splunk 3.x Deployment Clients.
13 | #
14 |
--------------------------------------------------------------------------------
/spec_files/8.0/federated.conf.spec:
--------------------------------------------------------------------------------
1 | # Version 8.0.0
2 | #
3 | # This file contains possible setting and value pairs for federated provider entries
4 | # for use in Data Fabric Search (DFS), when the federated search functionality is
5 | # enabled.
6 | #
7 | # A federated search allows authorized users to run searches across multiple federated
8 | # providers. Only Splunk deployments are supported as federated providers. Information
9 | # on the Splunk deployment (i.e. the federated provider) is added in the federated
10 | # provider stanza of the federated.conf file. A federated search deployment can have
11 | # multiple federated search datasets. The settings for federated search dataset stanzas
12 | # are located in savedsearches.conf.
13 | #
14 | # To learn more about configuration files (including precedence) please see the
15 | # documentation located at
16 | # http://docs.splunk.com/Documentation/Splunk/latest/Admin/Aboutconfigurationfiles
17 | #
18 | # Here are the settings for the federated provider stanzas.
19 |
20 | []
21 | * Create a unique stanza name for each federated provider.
22 |
23 | type = [splunk]
24 | * Specifies the type of the federated provider.
25 | * Only Splunk deployments are supported as of this revision.
26 | * Default: splunk
27 |
28 | ip =
29 | * Identifies the IP address of the federated provider.
30 | * Default: No default.
31 |
32 | splunk.port =
33 | * Identifies the splunkd REST port on the remote Splunk deployment.
34 | * Default: No default.
35 |
36 | splunk.serviceAccount =
37 | * Identifies an authorized user on the remote Splunk deployment.
38 | * The security credentials associated with this account are managed securely in
39 | fshpasswords.conf.
40 | * Default: No default.
41 |
42 | splunk.app =
43 | * The name of the Splunk application on the remote Splunk deployment in which
44 | * to perform the search.
45 | * Default: No default.
46 |
--------------------------------------------------------------------------------
/spec_files/8.0/fshpasswords.conf.spec:
--------------------------------------------------------------------------------
1 | # Version 8.0.0
2 | #
3 | # This file maintains the credential information associated with a federated provider.
4 | #
5 | # There is no global, default fshpasswords.conf. Instead, anytime a user creates
6 | # a new user or edit a user assocated with a federated provider onwards hitting
7 | # the fsh storage endpoint will create this fshpasswords.conf file.
8 | #
9 | # To learn more about configuration files (including precedence) please see the
10 | # documentation located at
11 | # http://docs.splunk.com/Documentation/Splunk/latest/Admin/Aboutconfigurationfiles
12 |
13 |
14 | [credential:::]
15 | password =
16 | * Password that corresponds to the service account for the given federated provider.
17 | * The password can be in clear text, however when saved from splunkd the
18 | password will always be encrypted
19 |
--------------------------------------------------------------------------------
/spec_files/8.0/instance.cfg.spec:
--------------------------------------------------------------------------------
1 | # Version 8.0.0
2 | #
3 | # This file contains the set of attributes and values you can expect to find in
4 | # the SPLUNK_HOME/etc/instance.cfg file; the instance.cfg file is not to be
5 | # modified or removed by user. LEAVE THE instance.cfg FILE ALONE.
6 | #
7 |
8 | #
9 | # GLOBAL SETTINGS
10 | # The [general] stanza defines global settings.
11 | #
12 | [general]
13 |
14 | guid =
15 | * This setting formerly (before 5.0) belonged in the [general] stanza of
16 | server.conf file.
17 |
18 | * Splunk expects that every Splunk instance will have a unique string for this
19 | value, independent of all other Splunk instances. By default, Splunk will
20 | arrange for this without user intervention.
21 |
22 | * Currently used by (not exhaustive):
23 | * Clustering environments, to identify participating nodes.
24 | * Splunk introspective searches (Splunk on Splunk, Deployment Monitor,
25 | etc.), to identify forwarders.
26 |
27 | * At startup, the following happens:
28 |
29 | * If server.conf has a value of 'guid' AND instance.cfg has no value of
30 | 'guid', then the value will be erased from server.conf and moved to
31 | instance.cfg file.
32 |
33 | * If server.conf has a value of 'guid' AND instance.cfg has a value of
34 | 'guid' AND these values are the same, the value is erased from
35 | server.conf file.
36 |
37 | * If server.conf has a value of 'guid' AND instance.cfg has a value of 'guid'
38 | AND these values are different, startup halts and error is shown. Operator
39 | must resolve this error. We recommend erasing the value from server.conf
40 | file, and then restarting.
41 |
42 | * If you are hitting this error while trying to mass-clone Splunk installs,
43 | please look into the command 'splunk clone-prep-clear-config';
44 | 'splunk help' has help.
45 |
46 | * See http://www.ietf.org/rfc/rfc4122.txt for how a GUID (a.k.a. UUID) is
47 | constructed.
48 |
49 | * The standard regexp to match an all-uppercase GUID is
50 | "[0-9A-F]{8}-[0-9A-F]{4}-[0-9A-F]{4}-[0-9A-F]{4}-[0-9A-F]{12}".
51 |
--------------------------------------------------------------------------------
/spec_files/8.0/literals.conf.spec:
--------------------------------------------------------------------------------
1 | # Version 8.0.0
2 | #
3 | # This file and all forms of literals.conf are now deprecated.
4 | # Instead, use the messages.conf file which is documented
5 | # at "Customize Splunk Web messages" in the Splunk documentation.
6 |
--------------------------------------------------------------------------------
/spec_files/8.0/migration.conf.spec:
--------------------------------------------------------------------------------
1 | # Version 8.0.0
2 | #
3 | # This file maintains the migration status in Splunk Enterprise.
4 | #
5 | # Splunk Enterprise automatically generates the configurations in
6 | # this file during a migration.
7 | # Do not edit any configurations in this file unless instructed to by
8 | # Splunk support.
9 | #
10 | # There is no global, default migration.conf. When migrating between certain
11 | # versions of Splunk Enterprise, Splunk will perform migration actions that
12 | # must only be executed once. To ensure these actions are not performed during
13 | # any subsequent migration, Splunk will create a migration.conf to record
14 | # whether or not particular migration actions have taken place.
15 | #
16 | # To learn more about configuration files (including precedence) please see the
17 | # documentation located at
18 | # http://docs.splunk.com/Documentation/Splunk/latest/Admin/Aboutconfigurationfiles
19 |
--------------------------------------------------------------------------------
/spec_files/8.0/passwords.conf.spec:
--------------------------------------------------------------------------------
1 | # Version 8.0.0
2 | #
3 | # This file maintains the credential information for a given app in Splunk Enterprise.
4 | #
5 | # There is no global, default passwords.conf. Instead, anytime a user creates
6 | # a new user or edit a user onwards hitting the storage endpoint
7 | # will create this passwords.conf file which gets replicated
8 | # in a search head clustering enviornment.
9 | # Note that passwords.conf is only created from 6.3.0 release.
10 | #
11 | # You must restart Splunk Enterprise to reload manual changes to passwords.conf.
12 | #
13 | # To learn more about configuration files (including precedence) please see the
14 | # documentation located at
15 | # http://docs.splunk.com/Documentation/Splunk/latest/Admin/Aboutconfigurationfiles
16 | # More details for storage endpoint is at
17 | # http://blogs.splunk.com/2011/03/15/storing-encrypted-credentials/
18 |
19 |
20 | [credential:::]
21 | password =
22 | * Password that corresponds to the given username for the given realm.
23 | Note that realm is optional
24 | * The password can be in clear text, however when saved from splunkd the
25 | password will always be encrypted
26 |
--------------------------------------------------------------------------------
/spec_files/8.0/procmon-filters.conf.spec:
--------------------------------------------------------------------------------
1 | # Version 8.0.0
2 | #
3 | # *** DEPRECATED ***
4 | #
5 | #
6 | # This file contains potential attribute/value pairs to use when configuring
7 | # Windows registry monitoring. The procmon-filters.conf file contains the
8 | # regular expressions you create to refine and filter the processes you want
9 | # Splunk to monitor. You must restart Splunk to enable configurations.
10 | #
11 | # To learn more about configuration files (including precedence) please see the
12 | # documentation located at
13 | # http://docs.splunk.com/Documentation/Splunk/latest/Admin/Aboutconfigurationfiles
14 |
15 | #### find out if this file is still being used.
16 |
17 | []
18 | * Name of the filter being defined.
19 |
20 | proc =
21 | * Regex specifying process image that you want Splunk to monitor.
22 |
23 | type =
24 | * Regex specifying the type(s) of process event that you want Splunk to
25 | monitor.
26 |
27 | hive =
28 | * Not used in this context, but should always have value ".*"
29 |
--------------------------------------------------------------------------------
/spec_files/8.0/source-classifier.conf.spec:
--------------------------------------------------------------------------------
1 | # Version 8.0.0
2 | #
3 | # This file contains all possible options for configuring settings for the
4 | # file classifier in source-classifier.conf.
5 | #
6 | # There is a source-classifier.conf in $SPLUNK_HOME/etc/system/default/ To
7 | # set custom configurations, place a source-classifier.conf in
8 | # $SPLUNK_HOME/etc/system/local/. For examples, see
9 | # source-classifier.conf.example. You must restart Splunk to enable
10 | # configurations.
11 | #
12 | # To learn more about configuration files (including precedence) please see
13 | # the documentation located at
14 | # http://docs.splunk.com/Documentation/Splunk/latest/Admin/Aboutconfigurationfiles
15 |
16 |
17 | ignored_model_keywords =
18 | * Terms to ignore when generating a sourcetype model.
19 | * To prevent sourcetype "bundles/learned/*-model.xml" files from containing
20 | sensitive terms (e.g. "bobslaptop") that occur very frequently in your
21 | data files, add those terms to ignored_model_keywords.
22 |
23 | ignored_filename_keywords =
24 | * Terms to ignore when comparing a new sourcename against a known
25 | sourcename, for the purpose of classifying a source.
26 |
27 |
--------------------------------------------------------------------------------
/spec_files/8.0/sourcetypes.conf.spec:
--------------------------------------------------------------------------------
1 | # Version 8.0.0
2 | #
3 | # NOTE: sourcetypes.conf is a machine-generated file that stores the document
4 | # models used by the file classifier for creating source types.
5 |
6 | # Generally, you should not edit sourcetypes.conf, as most attributes are
7 | # machine generated. However, there are two attributes which you can change.
8 | #
9 | # There is a sourcetypes.conf in $SPLUNK_HOME/etc/system/default/ To set custom
10 | # configurations, place a sourcetypes..conf in $SPLUNK_HOME/etc/system/local/.
11 | # For examples, see sourcetypes.conf.example. You must restart Splunk to enable
12 | # configurations.
13 | #
14 | # To learn more about configuration files (including precedence) please see the
15 | # documentation located at
16 | # http://docs.splunk.com/Documentation/Splunk/latest/Admin/Aboutconfigurationfiles
17 |
18 | # GLOBAL SETTINGS
19 | # Use the [default] stanza to define any global settings.
20 | # * You can also define global settings outside of any stanza, at the top of
21 | # the file.
22 | # * Each conf file should have at most one default stanza. If there are
23 | # multiple default stanzas, attributes are combined. In the case of
24 | # multiple definitions of the same attribute, the last definition in the
25 | # file wins.
26 | # * If an attribute is defined at both the global level and in a specific
27 | # stanza, the value in the specific stanza takes precedence.
28 |
29 |
30 | _sourcetype =
31 | * Specifies the sourcetype for the model.
32 | * Change this to change the model's sourcetype.
33 | * Future sources that match the model will receive a sourcetype of this new
34 | name.
35 |
36 |
37 | _source =
38 | * Specifies the source (filename) for the model.
39 |
--------------------------------------------------------------------------------
/spec_files/8.0/tags.conf.spec:
--------------------------------------------------------------------------------
1 | # Version 8.0.0
2 | #
3 | # This file contains possible attribute/value pairs for configuring tags. Set
4 | # any number of tags for indexed or extracted fields.
5 | #
6 | # There is no tags.conf in $SPLUNK_HOME/etc/system/default/. To set custom
7 | # configurations, place a tags.conf in $SPLUNK_HOME/etc/system/local/. For
8 | # examples, see tags.conf.example. You must restart Splunk software to enable
9 | # configurations.
10 | #
11 | # To learn more about configuration files (including precedence) please see the
12 | # documentation located at
13 | # http://docs.splunk.com/Documentation/Splunk/latest/Admin/Aboutconfigurationfiles
14 |
15 | [=]
16 | * The field name and value to which the tags in the stanza
17 | apply. For example, host=localhost.
18 | * A tags.conf file can contain multiple stanzas. It is recommended that the
19 | value be URL encoded to avoid configuration file parsing errors, especially
20 | if the field value contains the following characters: \n, =, []
21 | * Each stanza can refer to only one field/value pair.
22 |
23 | =
24 | =
25 | =
26 | * Enable or disable each for this specific field/value pair.
27 | * While you can have multiple tags in a stanza (meaning that multiple tags are
28 | assigned to the same field/value combination), only one tag is allowed per
29 | stanza line. In other words, you can't have a list of tags on one line of the
30 | stanza.
31 | * WARNING: Do not put the value in quotes. For example,
32 | use foo=enabled, not "foo"=enabled.
33 |
--------------------------------------------------------------------------------
/spec_files/8.0/user-seed.conf.spec:
--------------------------------------------------------------------------------
1 | # Version 8.0.0
2 | #
3 | # Specification for user-seed.conf. Allows configuration of Splunk's
4 | # initial username and password. Currently, only one user can be configured
5 | # with user-seed.conf.
6 | #
7 | # Specification for user-seed.conf. Allows configuration of Splunk's initial username and password.
8 | # Currently, only one user can be configured with user-seed.conf.
9 | #
10 | # To set the default username and password, place user-seed.conf in
11 | # $SPLUNK_HOME/etc/system/local. You must restart Splunk to enable configurations.
12 | # If the $SPLUNK_HOME/etc/passwd file is present, the settings in this file (user-seed.conf) are not used.
13 | #
14 | # Use HASHED_PASSWORD for a more secure installation. To hash a clear-text password,
15 | # use the 'splunk hash-passwd' command then copy the output to this file.
16 | #
17 | # If a clear text password is set (not recommended) and last character is '\', it should
18 | # be followed by a space for value to be read correctly. Password does not include extra
19 | # space at the end, it is required to ignore the special meaning of backslash in conf file.
20 | #
21 | # http://docs.splunk.com/Documentation/Splunk/latest/Admin/Aboutconfigurationfiles
22 | # To learn more about configuration files (including precedence) please see the documentation
23 | # located at http://docs.splunk.com/Documentation/Splunk/latest/Admin/Aboutconfigurationfiles
24 |
25 | [user_info]
26 | * Default is Admin.
27 |
28 | USERNAME =
29 | * Username you want to associate with a password.
30 | * Default is Admin.
31 |
32 | PASSWORD =
33 | * Password you wish to set for that user.
34 | * Password must meet complexity requirements.
35 |
36 | HASHED_PASSWORD =
37 | * Password hash you wish to set for that user.
38 |
--------------------------------------------------------------------------------
/spec_files/8.0/viewstates.conf.spec:
--------------------------------------------------------------------------------
1 | # Version 8.0.0
2 | #
3 | # This file explains how to format viewstates.
4 | #
5 | # To use this configuration, copy the configuration block into
6 | # viewstates.conf in $SPLUNK_HOME/etc/system/local/. You must restart Splunk
7 | # to enable configurations.
8 | #
9 | # To learn more about configuration files (including precedence) please see
10 | # the documentation located at
11 | # http://docs.splunk.com/Documentation/Splunk/latest/Admin/Aboutconfigurationfiles
12 |
13 | # GLOBAL SETTINGS
14 | # Use the [default] stanza to define any global settings.
15 | # * You can also define global settings outside of any stanza, at the top
16 | # of the file.
17 | # * Each conf file should have at most one default stanza. If there are
18 | # multiple default stanzas, attributes are combined. In the case of
19 | # multiple definitions of the same attribute, the last definition in the
20 | # file wins.
21 | # * If an attribute is defined at both the global level and in a specific
22 | # stanza, the value in the specific stanza takes precedence.
23 |
24 |
25 | [:]
26 | * Auto-generated persistence stanza label that corresponds to UI views
27 | * The is the URI name (not label) of the view to persist
28 | * if = "*", then this viewstate is considered to be 'global'
29 | * The is the unique identifier assigned to this set of
30 | parameters
31 | * = '_current' is a reserved name for normal view
32 | 'sticky state'
33 | * = '_empty' is a reserved name for no persistence,
34 | i.e., all defaults
35 |
36 | . =
37 | * The is the runtime id of the UI module requesting persistence
38 | * The is the setting designated by to persist
39 |
--------------------------------------------------------------------------------
/spec_files/8.1/audit.conf.spec:
--------------------------------------------------------------------------------
1 | # Version 8.1.5
2 | #
3 | # This file contains possible attributes and values you can use to configure
4 | # auditing and event signing in audit.conf.
5 | #
6 | # There is NO DEFAULT audit.conf. To set custom configurations, place an
7 | # audit.conf in $SPLUNK_HOME/etc/system/local/. For examples, see
8 | # audit.conf.example. You must restart Splunk to enable configurations.
9 | #
10 | # To learn more about configuration files (including precedence) please see the
11 | # documentation located at
12 | # http://docs.splunk.com/Documentation/Splunk/latest/Admin/Aboutconfigurationfiles
13 |
14 | # GLOBAL SETTINGS
15 | # Use the [default] stanza to define any global settings.
16 | # * You can also define global settings outside of any stanza, at the top of the file.
17 | # * Each conf file should have at most one default stanza. If there are
18 | # multiple default stanzas, attributes are combined. In the case of multiple
19 | # definitions of the same attribute, the last definition in the file wins.
20 | # * If an attribute is defined at both the global level and in a specific
21 | # stanza, the value in the specific stanza takes precedence.
22 |
23 | #########################################################################################
24 | # KEYS: specify your public and private keys for encryption.
25 | #########################################################################################
26 |
27 | queueing =
28 | * Whether or not audit events are sent to the indexQueue.
29 | * If set to "true", audit events are sent to the indexQueue.
30 | * If set to "false", you must add an inputs.conf stanza to tail the
31 | audit log for the events reach your index.
32 | * Default: true
33 |
34 |
--------------------------------------------------------------------------------
/spec_files/8.1/bookmarks.conf.spec:
--------------------------------------------------------------------------------
1 | # Version 8.1.5
2 | #
3 | # This file contains possible settings and values for configuring various
4 | # "bookmark" entries to be stored within a Splunk instance.
5 | #
6 | # To add custom bookmarks, place a bookmarks.conf file in
7 | # $SPLUNK_HOME/etc/system/local/ on the Splunk instance.
8 | # configuration content is deployed to a
9 | # given deployment client in serverclass.conf. Refer to
10 | #
11 | # To learn more about configuration files (including precedence), see the
12 | # documentation located at
13 | # http://docs.splunk.com/Documentation/Splunk/latest/Admin/Aboutconfigurationfiles
14 |
15 | [bookmarks_mc:*]
16 | url =
17 | * A bookmark URL that redirects logged-in administrators to other Monitoring
18 | Console instances that may be within their purview. Set this up if you have
19 | administrators who are responsible for the performance and uptime of multiple
20 | Splunk deployments.
21 | * The bookmark appears in the left pane of the Monitoring Console.
22 | * The URL must begin with http:// or https:// and contain 'splunk_monitoring_console'.
23 | * Default: not set
24 |
--------------------------------------------------------------------------------
/spec_files/8.1/datatypesbnf.conf.spec:
--------------------------------------------------------------------------------
1 | # Version 8.1.5
2 | #
3 | # This file effects how the search assistant (typeahead) shows the syntax for
4 | # search commands.
5 |
6 | []
7 | * The name of the syntax type you are configuring.
8 | * Follow this field name with one syntax= definition.
9 | * Syntax type can only contain a-z, and -, but cannot begin with -
10 |
11 | syntax =
12 | * The syntax for your syntax type.
13 | * Should correspond to a regular expression describing the term.
14 | * Can also be a or other similar value.
15 |
--------------------------------------------------------------------------------
/spec_files/8.1/deployment.conf.spec:
--------------------------------------------------------------------------------
1 | # Version 8.1.5
2 | #
3 | # *** REMOVED; NO LONGER USED ***
4 | #
5 | #
6 | # This configuration file has been replaced by:
7 | # 1.) deploymentclient.conf - for configuring Deployment Clients.
8 | # 2.) serverclass.conf - for Deployment Server server class configuration.
9 | #
10 | #
11 | # Compatibility:
12 | # Splunk 4.x Deployment Server is NOT compatible with Splunk 3.x Deployment Clients.
13 | #
14 |
--------------------------------------------------------------------------------
/spec_files/8.1/federated.conf.spec:
--------------------------------------------------------------------------------
1 | # Version 8.1.5
2 | #
3 | # This file contains possible setting and value pairs for federated provider entries
4 | # for use in Data Fabric Search (DFS), when the federated search functionality is
5 | # enabled.
6 | #
7 | # A federated search allows authorized users to run searches across multiple federated
8 | # providers. Only Splunk deployments are supported as federated providers. Information
9 | # on the Splunk deployment (i.e. the federated provider) is added in the federated
10 | # provider stanza of the federated.conf file. A federated search deployment can have
11 | # multiple federated search datasets. The settings for federated search dataset stanzas
12 | # are located in savedsearches.conf.
13 | #
14 | # To learn more about configuration files (including precedence) please see the
15 | # documentation located at
16 | # http://docs.splunk.com/Documentation/Splunk/latest/Admin/Aboutconfigurationfiles
17 | #
18 | # Here are the settings for the federated provider stanzas.
19 |
20 | []
21 | * Create a unique stanza name for each federated provider.
22 |
23 | type = [splunk]
24 | * Specifies the type of the federated provider.
25 | * Only Splunk deployments are supported as of this revision.
26 | * Default: splunk
27 |
28 | ip =
29 | * Identifies the IP address of the federated provider.
30 | * No default.
31 |
32 | splunk.port =
33 | * Identifies the splunkd REST port on the remote Splunk deployment.
34 | * No default.
35 |
36 | splunk.serviceAccount =
37 | * Identifies an authorized user on the remote Splunk deployment.
38 | * The security credentials associated with this account are managed securely in
39 | fshpasswords.conf.
40 | * No default.
41 |
42 | splunk.app =
43 | * The name of the Splunk application on the remote Splunk deployment in which
44 | * to perform the search.
45 | * No default.
46 |
--------------------------------------------------------------------------------
/spec_files/8.1/fshpasswords.conf.spec:
--------------------------------------------------------------------------------
1 | # Version 8.1.5
2 | #
3 | # This file maintains the credential information associated with a federated provider.
4 | #
5 | # There is no global, default fshpasswords.conf. Instead, anytime a user creates
6 | # a new user or edit a user assocated with a federated provider onwards hitting
7 | # the fsh storage endpoint will create this fshpasswords.conf file.
8 | #
9 | # To learn more about configuration files (including precedence) please see the
10 | # documentation located at
11 | # http://docs.splunk.com/Documentation/Splunk/latest/Admin/Aboutconfigurationfiles
12 |
13 |
14 | [credential:::]
15 | password =
16 | * Password that corresponds to the service account for the given federated provider.
17 | * The password can be in clear text, however when saved from splunkd, the
18 | password will always be encrypted.
19 |
--------------------------------------------------------------------------------
/spec_files/8.1/global-banner.conf.spec:
--------------------------------------------------------------------------------
1 | # Version 8.1.5
2 | #
3 | ############################################################################
4 | # OVERVIEW
5 | ############################################################################
6 | # This file contains descriptions of the settings that you can use to
7 | # configure a global banner at the top of every page in Splunk, above the Splunk bar.
8 | #
9 | # Each stanza controls different search commands settings.
10 | #
11 | # There is a global-banner.conf file in the $SPLUNK_HOME/etc/system/default/ directory.
12 | # Never change or copy the configuration files in the default directory.
13 | # The files in the default directory must remain intact and in their original
14 | # location.
15 | #
16 | # To set custom configurations, create a new file with the name global-banner.conf in
17 | # the $SPLUNK_HOME/etc/system/local/ directory. Then add the specific settings
18 | # that you want to customize to the local configuration file.
19 | # For examples, see global-banner.conf.example. You must restart the Splunk instance
20 | # to enable configuration changes.
21 | #
22 | # To learn more about configuration files (including file precedence) see the
23 | # documentation located at
24 | # http://docs.splunk.com/Documentation/Splunk/latest/Admin/Aboutconfigurationfiles
25 |
26 | [BANNER_MESSAGE_SINGLETON]
27 | * IMPORTANT: It is only possible to declare one global banner. This is the only
28 | stanza that Splunk Web will read.
29 |
30 | global_banner.visible =
31 | * Default: false
32 |
33 | global_banner.message =
34 | * Default: Sample banner notification text. Please replace with your own message.
35 |
36 | global_banner.background_color = [green|blue|yellow|orange|red]
37 | * Default: blue
38 |
39 | global_banner.hyperlink = [http://|https://]
40 | * Default: none
41 |
42 | global_banner.hyperlink_text =
43 | * Default: none
44 |
--------------------------------------------------------------------------------
/spec_files/8.1/instance.cfg.spec:
--------------------------------------------------------------------------------
1 | # Version 8.1.5
2 | #
3 | # This file contains the set of attributes and values you can expect to find in
4 | # the SPLUNK_HOME/etc/instance.cfg file; the instance.cfg file is not to be
5 | # modified or removed by user. LEAVE THE instance.cfg FILE ALONE.
6 | #
7 |
8 | #
9 | # GLOBAL SETTINGS
10 | # The [general] stanza defines global settings.
11 | #
12 | [general]
13 |
14 | guid =
15 | * This setting formerly (before 5.0) belonged in the [general] stanza of
16 | server.conf file.
17 |
18 | * Splunk expects that every Splunk instance will have a unique string for this
19 | value, independent of all other Splunk instances. By default, Splunk will
20 | arrange for this without user intervention.
21 |
22 | * Currently used by (not exhaustive):
23 | * Clustering environments, to identify participating nodes.
24 | * Splunk introspective searches (Splunk on Splunk, Deployment Monitor,
25 | etc.), to identify forwarders.
26 |
27 | * At startup, the following happens:
28 |
29 | * If server.conf has a value of 'guid' AND instance.cfg has no value of
30 | 'guid', then the value will be erased from server.conf and moved to
31 | instance.cfg file.
32 |
33 | * If server.conf has a value of 'guid' AND instance.cfg has a value of
34 | 'guid' AND these values are the same, the value is erased from
35 | server.conf file.
36 |
37 | * If server.conf has a value of 'guid' AND instance.cfg has a value of 'guid'
38 | AND these values are different, startup halts and error is shown. Operator
39 | must resolve this error. We recommend erasing the value from server.conf
40 | file, and then restarting.
41 |
42 | * If you are hitting this error while trying to mass-clone Splunk installs,
43 | please look into the command 'splunk clone-prep-clear-config';
44 | 'splunk help' has help.
45 |
46 | * See http://www.ietf.org/rfc/rfc4122.txt for how a GUID (a.k.a. UUID) is
47 | constructed.
48 |
49 | * The standard regexp to match an all-uppercase GUID is
50 | "[0-9A-F]{8}-[0-9A-F]{4}-[0-9A-F]{4}-[0-9A-F]{4}-[0-9A-F]{12}".
51 |
--------------------------------------------------------------------------------
/spec_files/8.1/literals.conf.spec:
--------------------------------------------------------------------------------
1 | # Version 8.1.5
2 | #
3 | # This file and all forms of literals.conf are now deprecated.
4 | # Instead, use the messages.conf file which is documented
5 | # at "Customize Splunk Web messages" in the Splunk documentation.
6 |
--------------------------------------------------------------------------------
/spec_files/8.1/migration.conf.spec:
--------------------------------------------------------------------------------
1 | # Version 8.1.5
2 | #
3 | # This file maintains the migration status in Splunk Enterprise.
4 | #
5 | # Splunk Enterprise automatically generates the configurations in
6 | # this file during a migration.
7 | # Do not edit any configurations in this file unless instructed to by
8 | # Splunk support.
9 | #
10 | # There is no global, default migration.conf. When migrating between certain
11 | # versions of Splunk Enterprise, Splunk will perform migration actions that
12 | # must only be executed once. To ensure these actions are not performed during
13 | # any subsequent migration, Splunk will create a migration.conf to record
14 | # whether or not particular migration actions have taken place.
15 | #
16 | # To learn more about configuration files (including precedence) please see the
17 | # documentation located at
18 | # http://docs.splunk.com/Documentation/Splunk/latest/Admin/Aboutconfigurationfiles
19 |
--------------------------------------------------------------------------------
/spec_files/8.1/passwords.conf.spec:
--------------------------------------------------------------------------------
1 | # Version 8.1.5
2 | #
3 | # This file maintains the credential information for a given app in Splunk Enterprise.
4 | #
5 | # There is no global, default passwords.conf. Instead, anytime a user creates
6 | # a new user or edit a user onwards hitting the storage endpoint
7 | # will create this passwords.conf file which gets replicated
8 | # in a search head clustering enviornment.
9 | # Note that passwords.conf is only created from 6.3.0 release.
10 | #
11 | # You must restart Splunk Enterprise to reload manual changes to passwords.conf.
12 | #
13 | # To learn more about configuration files (including precedence) please see the
14 | # documentation located at
15 | # http://docs.splunk.com/Documentation/Splunk/latest/Admin/Aboutconfigurationfiles
16 |
17 |
18 | [credential:::]
19 | password =
20 | * The password that corresponds to the given username for the given realm.
21 | * NOTE: The realm is optional.
22 | * The password can be in clear text, however when saved from splunkd the
23 | password will always be encrypted.
24 |
--------------------------------------------------------------------------------
/spec_files/8.1/procmon-filters.conf.spec:
--------------------------------------------------------------------------------
1 | # Version 8.1.5
2 | #
3 | # *** DEPRECATED ***
4 | #
5 | #
6 | # This file contains potential attribute/value pairs to use when configuring
7 | # Windows registry monitoring. The procmon-filters.conf file contains the
8 | # regular expressions you create to refine and filter the processes you want
9 | # Splunk to monitor. You must restart Splunk to enable configurations.
10 | #
11 | # To learn more about configuration files (including precedence) please see the
12 | # documentation located at
13 | # http://docs.splunk.com/Documentation/Splunk/latest/Admin/Aboutconfigurationfiles
14 |
15 | #### find out if this file is still being used.
16 |
17 | []
18 | * The name of the filter being defined.
19 |
20 | proc =
21 | * A regular expression that specifies process image that you want
22 | the Splunk platform to monitor.
23 | * No default.
24 |
25 | type =
26 | * A regular expression that specifies the type(s) of process events
27 | that you want the Splunk platform to monitor.
28 | * No default
29 |
30 | hive =
31 | * Not used in this context, but should always have value ".*"
32 |
--------------------------------------------------------------------------------
/spec_files/8.1/source-classifier.conf.spec:
--------------------------------------------------------------------------------
1 | # Version 8.1.5
2 | #
3 | # This file contains all possible options for configuring settings for the
4 | # file classifier in source-classifier.conf.
5 | #
6 | # There is a source-classifier.conf in $SPLUNK_HOME/etc/system/default/ To
7 | # set custom configurations, place a source-classifier.conf in
8 | # $SPLUNK_HOME/etc/system/local/. For examples, see
9 | # source-classifier.conf.example. You must restart Splunk to enable
10 | # configurations.
11 | #
12 | # To learn more about configuration files (including precedence) please see
13 | # the documentation located at
14 | # http://docs.splunk.com/Documentation/Splunk/latest/Admin/Aboutconfigurationfiles
15 |
16 |
17 | ignored_model_keywords =
18 | * Terms to ignore when generating a sourcetype model.
19 | * To prevent sourcetype "bundles/learned/*-model.xml" files from containing
20 | sensitive terms (e.g. "bobslaptop") that occur very frequently in your
21 | data files, add those terms to ignored_model_keywords.
22 |
23 | ignored_filename_keywords =
24 | * Terms to ignore when comparing a new sourcename against a known
25 | sourcename, for the purpose of classifying a source.
26 |
27 |
--------------------------------------------------------------------------------
/spec_files/8.1/sourcetypes.conf.spec:
--------------------------------------------------------------------------------
1 | # Version 8.1.5
2 | #
3 | # NOTE: sourcetypes.conf is a machine-generated file that stores the document
4 | # models used by the file classifier for creating source types.
5 |
6 | # Generally, you should not edit sourcetypes.conf, as most attributes are
7 | # machine generated. However, there are two attributes which you can change.
8 | #
9 | # There is a sourcetypes.conf in $SPLUNK_HOME/etc/system/default/ To set custom
10 | # configurations, place a sourcetypes..conf in $SPLUNK_HOME/etc/system/local/.
11 | # For examples, see sourcetypes.conf.example. You must restart Splunk to enable
12 | # configurations.
13 | #
14 | # To learn more about configuration files (including precedence) please see the
15 | # documentation located at
16 | # http://docs.splunk.com/Documentation/Splunk/latest/Admin/Aboutconfigurationfiles
17 |
18 | # GLOBAL SETTINGS
19 | # Use the [default] stanza to define any global settings.
20 | # * You can also define global settings outside of any stanza, at the top of
21 | # the file.
22 | # * Each conf file should have at most one default stanza. If there are
23 | # multiple default stanzas, attributes are combined. In the case of
24 | # multiple definitions of the same attribute, the last definition in the
25 | # file wins.
26 | # * If an attribute is defined at both the global level and in a specific
27 | # stanza, the value in the specific stanza takes precedence.
28 |
29 |
30 | _sourcetype =
31 | * Specifies the sourcetype for the model.
32 | * Change this to change the model's sourcetype.
33 | * Future sources that match the model will receive a sourcetype of this new
34 | name.
35 |
36 | _source =
37 | * Specifies the source (filename) for the model.
38 |
--------------------------------------------------------------------------------
/spec_files/8.1/tags.conf.spec:
--------------------------------------------------------------------------------
1 | # Version 8.1.5
2 | #
3 | # This file contains possible attribute/value pairs for configuring tags. Set
4 | # any number of tags for indexed or extracted fields.
5 | #
6 | # There is no tags.conf in $SPLUNK_HOME/etc/system/default/. To set custom
7 | # configurations, place a tags.conf in $SPLUNK_HOME/etc/system/local/. For
8 | # examples, see tags.conf.example. You must restart Splunk software to enable
9 | # configurations.
10 | #
11 | # To learn more about configuration files (including precedence) please see the
12 | # documentation located at
13 | # http://docs.splunk.com/Documentation/Splunk/latest/Admin/Aboutconfigurationfiles
14 |
15 | [=]
16 | * The field name and value to which the tags in the stanza
17 | apply. For example, host=localhost.
18 | * A tags.conf file can contain multiple stanzas. It is recommended that the
19 | value be URL encoded to avoid configuration file parsing errors, especially
20 | if the field value contains the following characters: \n, =, []
21 | * Each stanza can refer to only one field/value pair.
22 |
23 | =
24 | =
25 | =
26 | * Enable or disable each for this specific field/value pair.
27 | * While you can have multiple tags in a stanza (meaning that multiple tags are
28 | assigned to the same field/value combination), only one tag is allowed per
29 | stanza line. In other words, you can't have a list of tags on one line of the
30 | stanza.
31 | * CAUTION: Do not put the value in quotes. For example,
32 | use foo=enabled, not "foo"=enabled.
33 |
--------------------------------------------------------------------------------
/spec_files/8.1/user-seed.conf.spec:
--------------------------------------------------------------------------------
1 | # Version 8.1.5
2 | #
3 | # Specification for user-seed.conf. Allows configuration of Splunk's
4 | # initial username and password. Currently, only one user can be configured
5 | # with user-seed.conf.
6 | #
7 | # Specification for user-seed.conf. Allows configuration of Splunk's initial username and password.
8 | # Currently, only one user can be configured with user-seed.conf.
9 | #
10 | # To set the default username and password, place user-seed.conf in
11 | # $SPLUNK_HOME/etc/system/local. You must restart Splunk to enable configurations.
12 | # If the $SPLUNK_HOME/etc/passwd file is present, the settings in this file (user-seed.conf) are not used.
13 | #
14 | # Use HASHED_PASSWORD for a more secure installation. To hash a clear-text password,
15 | # use the 'splunk hash-passwd' command then copy the output to this file.
16 | #
17 | # If a clear text password is set (not recommended) and last character is '\', it should
18 | # be followed by a space for value to be read correctly. Password does not include extra
19 | # space at the end, it is required to ignore the special meaning of backslash in conf file.
20 | #
21 | # http://docs.splunk.com/Documentation/Splunk/latest/Admin/Aboutconfigurationfiles
22 | # To learn more about configuration files (including precedence) please see the documentation
23 | # located at http://docs.splunk.com/Documentation/Splunk/latest/Admin/Aboutconfigurationfiles
24 |
25 | [user_info]
26 | * Default is Admin.
27 |
28 | USERNAME =
29 | * Username you want to associate with a password.
30 | * Default is Admin.
31 |
32 | PASSWORD =
33 | * Password you wish to set for that user.
34 | * Password must meet complexity requirements.
35 |
36 | HASHED_PASSWORD =
37 | * Password hash you wish to set for that user.
38 |
--------------------------------------------------------------------------------
/spec_files/8.1/viewstates.conf.spec:
--------------------------------------------------------------------------------
1 | # Version 8.1.5
2 | #
3 | # This file explains how to format viewstates.
4 | #
5 | # To use this configuration, copy the configuration block into
6 | # viewstates.conf in $SPLUNK_HOME/etc/system/local/. You must restart Splunk
7 | # to enable configurations.
8 | #
9 | # To learn more about configuration files (including precedence) please see
10 | # the documentation located at
11 | # http://docs.splunk.com/Documentation/Splunk/latest/Admin/Aboutconfigurationfiles
12 |
13 | # GLOBAL SETTINGS
14 | # Use the [default] stanza to define any global settings.
15 | # * You can also define global settings outside of any stanza, at the top
16 | # of the file.
17 | # * Each conf file should have at most one default stanza. If there are
18 | # multiple default stanzas, attributes are combined. In the case of
19 | # multiple definitions of the same attribute, the last definition in the
20 | # file wins.
21 | # * If an attribute is defined at both the global level and in a specific
22 | # stanza, the value in the specific stanza takes precedence.
23 |
24 |
25 | [:]
26 | * Auto-generated persistence stanza label that corresponds to UI views
27 | * The is the URI name (not label) of the view to persist
28 | * if = "*", then this viewstate is considered to be 'global'
29 | * The is the unique identifier assigned to this set of
30 | parameters
31 | * = '_current' is a reserved name for normal view
32 | 'sticky state'
33 | * = '_empty' is a reserved name for no persistence,
34 | i.e., all defaults
35 |
36 | . =
37 | * The is the runtime id of the UI module requesting persistence
38 | * The is the setting designated by to persist
39 |
--------------------------------------------------------------------------------
/spec_files/8.1/workload_policy.conf.spec:
--------------------------------------------------------------------------------
1 | # Version 8.1.5
2 | #
3 | ############################################################################
4 | # OVERVIEW
5 | ############################################################################
6 | # This file contains descriptions of the settings that you can use to
7 | # configure search admission control for splunk.
8 | #
9 | # There is a workload_policy.conf file in the $SPLUNK_HOME/etc/system/default/ directory.
10 | # Never change or copy the configuration files in the default directory.
11 | # The files in the default directory must remain intact and in their original
12 | # location.
13 | #
14 | # To set custom configurations, create a new file with the name workload_policy.conf in
15 | # the $SPLUNK_HOME/etc/system/local/ directory. Then add the specific settings
16 | # that you want to customize to the local configuration file.
17 | # For examples, see workload_policy.conf.example. You may need to restart the Splunk instance
18 | # to enable configuration changes.
19 | #
20 | # To learn more about configuration files (including file precedence) see the
21 | # documentation located at
22 | # http://docs.splunk.com/Documentation/Splunk/latest/Admin/Aboutconfigurationfiles
23 | #
24 | # Settings to configure search admission control, including enabling/disabling feature
25 | # and other configurations.
26 |
27 | [search_admission_control]
28 | admission_rules_enabled =
29 | * Determines whether admission rules are applied to searches.
30 | * If set to true, admission rules for pre-filtering searches are applied when a search
31 | is dispatched.
32 | * Default: 0
33 |
--------------------------------------------------------------------------------
/spec_files/8.2/audit.conf.spec:
--------------------------------------------------------------------------------
1 | # Version 8.2.1
2 | #
3 | # This file contains possible attributes and values you can use to configure
4 | # auditing and event signing in audit.conf.
5 | #
6 | # There is NO DEFAULT audit.conf. To set custom configurations, place an
7 | # audit.conf in $SPLUNK_HOME/etc/system/local/. For examples, see
8 | # audit.conf.example. You must restart Splunk to enable configurations.
9 | #
10 | # To learn more about configuration files (including precedence) please see the
11 | # documentation located at
12 | # http://docs.splunk.com/Documentation/Splunk/latest/Admin/Aboutconfigurationfiles
13 |
14 | # GLOBAL SETTINGS
15 | # Use the [default] stanza to define any global settings.
16 | # * You can also define global settings outside of any stanza, at the top of the file.
17 | # * Each conf file should have at most one default stanza. If there are
18 | # multiple default stanzas, attributes are combined. In the case of multiple
19 | # definitions of the same attribute, the last definition in the file wins.
20 | # * If an attribute is defined at both the global level and in a specific
21 | # stanza, the value in the specific stanza takes precedence.
22 |
23 | #########################################################################################
24 | # KEYS: specify your public and private keys for encryption.
25 | #########################################################################################
26 |
27 | queueing =
28 | * Whether or not audit events are sent to the indexQueue.
29 | * If set to "true", audit events are sent to the indexQueue.
30 | * If set to "false", you must add an inputs.conf stanza to tail the
31 | audit log for the events reach your index.
32 | * Default: true
33 |
34 |
--------------------------------------------------------------------------------
/spec_files/8.2/bookmarks.conf.spec:
--------------------------------------------------------------------------------
1 | # Version 8.2.1
2 | #
3 | # This file contains possible settings and values for configuring various
4 | # "bookmark" entries to be stored within a Splunk instance.
5 | #
6 | # To add custom bookmarks, place a bookmarks.conf file in
7 | # $SPLUNK_HOME/etc/system/local/ on the Splunk instance.
8 | # configuration content is deployed to a
9 | # given deployment client in serverclass.conf. Refer to
10 | #
11 | # To learn more about configuration files (including precedence), see the
12 | # documentation located at
13 | # http://docs.splunk.com/Documentation/Splunk/latest/Admin/Aboutconfigurationfiles
14 |
15 | [bookmarks_mc:*]
16 | url =
17 | * A bookmark URL that redirects logged-in administrators to other Monitoring
18 | Console instances that may be within their purview. Set this up if you have
19 | administrators who are responsible for the performance and uptime of multiple
20 | Splunk deployments.
21 | * The bookmark appears in the left pane of the Monitoring Console.
22 | * The URL must begin with http:// or https:// and contain 'splunk_monitoring_console'.
23 | * Default: not set
24 |
--------------------------------------------------------------------------------
/spec_files/8.2/datatypesbnf.conf.spec:
--------------------------------------------------------------------------------
1 | # Version 8.2.1
2 | #
3 | # This file effects how the search assistant (typeahead) shows the syntax for
4 | # search commands.
5 |
6 | []
7 | * The name of the syntax type you are configuring.
8 | * Follow this field name with one syntax= definition.
9 | * Syntax type can only contain a-z, and -, but cannot begin with -
10 |
11 | syntax =
12 | * The syntax for your syntax type.
13 | * Should correspond to a regular expression describing the term.
14 | * Can also be a or other similar value.
15 |
--------------------------------------------------------------------------------
/spec_files/8.2/deployment.conf.spec:
--------------------------------------------------------------------------------
1 | # Version 8.2.1
2 | #
3 | # *** REMOVED; NO LONGER USED ***
4 | #
5 | #
6 | # This configuration file has been replaced by:
7 | # 1.) deploymentclient.conf - for configuring Deployment Clients.
8 | # 2.) serverclass.conf - for Deployment Server server class configuration.
9 | #
10 | #
11 | # Compatibility:
12 | # Splunk 4.x Deployment Server is NOT compatible with Splunk 3.x Deployment Clients.
13 | #
14 |
--------------------------------------------------------------------------------
/spec_files/8.2/fshpasswords.conf.spec:
--------------------------------------------------------------------------------
1 | # Version 8.2.1
2 | #
3 | # This file maintains the credential information associated with a federated provider.
4 | #
5 | # There is no global, default fshpasswords.conf. Instead, anytime a user creates
6 | # a new user or edit a user assocated with a federated provider onwards hitting
7 | # the fsh storage endpoint will create this fshpasswords.conf file.
8 | #
9 | # To learn more about configuration files (including precedence) please see the
10 | # documentation located at
11 | # http://docs.splunk.com/Documentation/Splunk/latest/Admin/Aboutconfigurationfiles
12 |
13 |
14 | [credential:::]
15 | password =
16 | * Password that corresponds to the service account for the given federated provider.
17 | * The password can be in clear text, however when saved from splunkd, the
18 | password will always be encrypted.
19 |
--------------------------------------------------------------------------------
/spec_files/8.2/global-banner.conf.spec:
--------------------------------------------------------------------------------
1 | # Version 8.2.1
2 | #
3 | ############################################################################
4 | # OVERVIEW
5 | ############################################################################
6 | # This file contains descriptions of the settings that you can use to
7 | # configure a global banner at the top of every page in Splunk, above the Splunk bar.
8 | #
9 | # Each stanza controls different search commands settings.
10 | #
11 | # There is a global-banner.conf file in the $SPLUNK_HOME/etc/system/default/ directory.
12 | # Never change or copy the configuration files in the default directory.
13 | # The files in the default directory must remain intact and in their original
14 | # location.
15 | #
16 | # To set custom configurations, create a new file with the name global-banner.conf in
17 | # the $SPLUNK_HOME/etc/system/local/ directory. Then add the specific settings
18 | # that you want to customize to the local configuration file.
19 | # For examples, see global-banner.conf.example. You must restart the Splunk instance
20 | # to enable configuration changes.
21 | #
22 | # To learn more about configuration files (including file precedence) see the
23 | # documentation located at
24 | # http://docs.splunk.com/Documentation/Splunk/latest/Admin/Aboutconfigurationfiles
25 |
26 | [BANNER_MESSAGE_SINGLETON]
27 | * IMPORTANT: It is only possible to declare one global banner. This is the only
28 | stanza that Splunk Web will read.
29 |
30 | global_banner.visible =
31 | * Default: false
32 |
33 | global_banner.message =
34 | * Default: Sample banner notification text. Please replace with your own message.
35 |
36 | global_banner.background_color = [green|blue|yellow|orange|red]
37 | * Default: blue
38 |
39 | global_banner.hyperlink = [http://|https://]
40 | * Default: none
41 |
42 | global_banner.hyperlink_text =
43 | * Default: none
44 |
--------------------------------------------------------------------------------
/spec_files/8.2/instance.cfg.spec:
--------------------------------------------------------------------------------
1 | # Version 8.2.1
2 | #
3 | # This file contains the set of attributes and values you can expect to find in
4 | # the SPLUNK_HOME/etc/instance.cfg file; the instance.cfg file is not to be
5 | # modified or removed by user. LEAVE THE instance.cfg FILE ALONE.
6 | #
7 |
8 | #
9 | # GLOBAL SETTINGS
10 | # The [general] stanza defines global settings.
11 | #
12 | [general]
13 |
14 | guid =
15 | * This setting formerly (before 5.0) belonged in the [general] stanza of
16 | server.conf file.
17 |
18 | * Splunk expects that every Splunk instance will have a unique string for this
19 | value, independent of all other Splunk instances. By default, Splunk will
20 | arrange for this without user intervention.
21 |
22 | * Currently used by (not exhaustive):
23 | * Clustering environments, to identify participating nodes.
24 | * Splunk introspective searches (Splunk on Splunk, Deployment Monitor,
25 | etc.), to identify forwarders.
26 |
27 | * At startup, the following happens:
28 |
29 | * If server.conf has a value of 'guid' AND instance.cfg has no value of
30 | 'guid', then the value will be erased from server.conf and moved to
31 | instance.cfg file.
32 |
33 | * If server.conf has a value of 'guid' AND instance.cfg has a value of
34 | 'guid' AND these values are the same, the value is erased from
35 | server.conf file.
36 |
37 | * If server.conf has a value of 'guid' AND instance.cfg has a value of 'guid'
38 | AND these values are different, startup halts and error is shown. Operator
39 | must resolve this error. We recommend erasing the value from server.conf
40 | file, and then restarting.
41 |
42 | * If you are hitting this error while trying to mass-clone Splunk installs,
43 | please look into the command 'splunk clone-prep-clear-config';
44 | 'splunk help' has help.
45 |
46 | * See http://www.ietf.org/rfc/rfc4122.txt for how a GUID (a.k.a. UUID) is
47 | constructed.
48 |
49 | * The standard regexp to match an all-uppercase GUID is
50 | "[0-9A-F]{8}-[0-9A-F]{4}-[0-9A-F]{4}-[0-9A-F]{4}-[0-9A-F]{12}".
51 |
--------------------------------------------------------------------------------
/spec_files/8.2/literals.conf.spec:
--------------------------------------------------------------------------------
1 | # Version 8.2.1
2 | #
3 | # This file and all forms of literals.conf are now deprecated.
4 | # Instead, use the messages.conf file which is documented
5 | # at "Customize Splunk Web messages" in the Splunk documentation.
6 |
--------------------------------------------------------------------------------
/spec_files/8.2/migration.conf.spec:
--------------------------------------------------------------------------------
1 | # Version 8.2.1
2 | #
3 | # This file maintains the migration status in Splunk Enterprise.
4 | #
5 | # Splunk Enterprise automatically generates the configurations in
6 | # this file during a migration.
7 | # Do not edit any configurations in this file unless instructed to by
8 | # Splunk support.
9 | #
10 | # There is no global, default migration.conf. When migrating between certain
11 | # versions of Splunk Enterprise, Splunk will perform migration actions that
12 | # must only be executed once. To ensure these actions are not performed during
13 | # any subsequent migration, Splunk will create a migration.conf to record
14 | # whether or not particular migration actions have taken place.
15 | #
16 | # To learn more about configuration files (including precedence) please see the
17 | # documentation located at
18 | # http://docs.splunk.com/Documentation/Splunk/latest/Admin/Aboutconfigurationfiles
19 |
--------------------------------------------------------------------------------
/spec_files/8.2/passwords.conf.spec:
--------------------------------------------------------------------------------
1 | # Version 8.2.1
2 | #
3 | # This file maintains the credential information for a given app in Splunk Enterprise.
4 | #
5 | # There is no global, default passwords.conf. Instead, anytime a user creates
6 | # a new user or edit a user onwards hitting the storage endpoint
7 | # will create this passwords.conf file which gets replicated
8 | # in a search head clustering enviornment.
9 | # Note that passwords.conf is only created from 6.3.0 release.
10 | #
11 | # You must restart Splunk Enterprise to reload manual changes to passwords.conf.
12 | #
13 | # To learn more about configuration files (including precedence) please see the
14 | # documentation located at
15 | # http://docs.splunk.com/Documentation/Splunk/latest/Admin/Aboutconfigurationfiles
16 |
17 |
18 | [credential:::]
19 | password =
20 | * The password that corresponds to the given username for the given realm.
21 | * NOTE: The realm is optional.
22 | * The password can be in clear text, however when saved from splunkd the
23 | password will always be encrypted.
24 |
--------------------------------------------------------------------------------
/spec_files/8.2/procmon-filters.conf.spec:
--------------------------------------------------------------------------------
1 | # Version 8.2.1
2 | #
3 | # *** DEPRECATED ***
4 | #
5 | #
6 | # This file contains potential attribute/value pairs to use when configuring
7 | # Windows registry monitoring. The procmon-filters.conf file contains the
8 | # regular expressions you create to refine and filter the processes you want
9 | # Splunk to monitor. You must restart Splunk to enable configurations.
10 | #
11 | # To learn more about configuration files (including precedence) please see the
12 | # documentation located at
13 | # http://docs.splunk.com/Documentation/Splunk/latest/Admin/Aboutconfigurationfiles
14 |
15 | #### find out if this file is still being used.
16 |
17 | []
18 | * The name of the filter being defined.
19 |
20 | proc =
21 | * A regular expression that specifies process image that you want
22 | the Splunk platform to monitor.
23 | * No default.
24 |
25 | type =
26 | * A regular expression that specifies the type(s) of process events
27 | that you want the Splunk platform to monitor.
28 | * No default
29 |
30 | hive =
31 | * Not used in this context, but should always have value ".*"
32 |
--------------------------------------------------------------------------------
/spec_files/8.2/source-classifier.conf.spec:
--------------------------------------------------------------------------------
1 | # Version 8.2.1
2 | #
3 | # This file contains all possible options for configuring settings for the
4 | # file classifier in source-classifier.conf.
5 | #
6 | # There is a source-classifier.conf in $SPLUNK_HOME/etc/system/default/ To
7 | # set custom configurations, place a source-classifier.conf in
8 | # $SPLUNK_HOME/etc/system/local/. For examples, see
9 | # source-classifier.conf.example. You must restart Splunk to enable
10 | # configurations.
11 | #
12 | # To learn more about configuration files (including precedence) please see
13 | # the documentation located at
14 | # http://docs.splunk.com/Documentation/Splunk/latest/Admin/Aboutconfigurationfiles
15 |
16 |
17 | ignored_model_keywords =
18 | * Terms to ignore when generating a sourcetype model.
19 | * To prevent sourcetype "bundles/learned/*-model.xml" files from containing
20 | sensitive terms (e.g. "bobslaptop") that occur very frequently in your
21 | data files, add those terms to ignored_model_keywords.
22 |
23 | ignored_filename_keywords =
24 | * Terms to ignore when comparing a new sourcename against a known
25 | sourcename, for the purpose of classifying a source.
26 |
27 |
--------------------------------------------------------------------------------
/spec_files/8.2/sourcetypes.conf.spec:
--------------------------------------------------------------------------------
1 | # Version 8.2.1
2 | #
3 | # NOTE: sourcetypes.conf is a machine-generated file that stores the document
4 | # models used by the file classifier for creating source types.
5 |
6 | # Generally, you should not edit sourcetypes.conf, as most attributes are
7 | # machine generated. However, there are two attributes which you can change.
8 | #
9 | # There is a sourcetypes.conf in $SPLUNK_HOME/etc/system/default/ To set custom
10 | # configurations, place a sourcetypes..conf in $SPLUNK_HOME/etc/system/local/.
11 | # For examples, see sourcetypes.conf.example. You must restart Splunk to enable
12 | # configurations.
13 | #
14 | # To learn more about configuration files (including precedence) please see the
15 | # documentation located at
16 | # http://docs.splunk.com/Documentation/Splunk/latest/Admin/Aboutconfigurationfiles
17 |
18 | # GLOBAL SETTINGS
19 | # Use the [default] stanza to define any global settings.
20 | # * You can also define global settings outside of any stanza, at the top of
21 | # the file.
22 | # * Each conf file should have at most one default stanza. If there are
23 | # multiple default stanzas, attributes are combined. In the case of
24 | # multiple definitions of the same attribute, the last definition in the
25 | # file wins.
26 | # * If an attribute is defined at both the global level and in a specific
27 | # stanza, the value in the specific stanza takes precedence.
28 |
29 |
30 | _sourcetype =
31 | * Specifies the sourcetype for the model.
32 | * Change this to change the model's sourcetype.
33 | * Future sources that match the model will receive a sourcetype of this new
34 | name.
35 |
36 | _source =
37 | * Specifies the source (filename) for the model.
38 |
--------------------------------------------------------------------------------
/spec_files/8.2/tags.conf.spec:
--------------------------------------------------------------------------------
1 | # Version 8.2.1
2 | #
3 | # This file contains possible attribute/value pairs for configuring tags. Set
4 | # any number of tags for indexed or extracted fields.
5 | #
6 | # There is no tags.conf in $SPLUNK_HOME/etc/system/default/. To set custom
7 | # configurations, place a tags.conf in $SPLUNK_HOME/etc/system/local/. For
8 | # examples, see tags.conf.example. You must restart Splunk software to enable
9 | # configurations.
10 | #
11 | # To learn more about configuration files (including precedence) please see the
12 | # documentation located at
13 | # http://docs.splunk.com/Documentation/Splunk/latest/Admin/Aboutconfigurationfiles
14 |
15 | [=]
16 | * The field name and value to which the tags in the stanza
17 | apply. For example, host=localhost.
18 | * A tags.conf file can contain multiple stanzas. It is recommended that the
19 | value be URL encoded to avoid configuration file parsing errors, especially
20 | if the field value contains the following characters: \n, =, []
21 | * Each stanza can refer to only one field/value pair.
22 |
23 | =
24 | =
25 | =
26 | * Enable or disable each for this specific field/value pair.
27 | * While you can have multiple tags in a stanza (meaning that multiple tags are
28 | assigned to the same field/value combination), only one tag is allowed per
29 | stanza line. In other words, you can't have a list of tags on one line of the
30 | stanza.
31 | * CAUTION: Do not put the value in quotes. For example,
32 | use foo=enabled, not "foo"=enabled.
33 |
--------------------------------------------------------------------------------
/spec_files/8.2/user-seed.conf.spec:
--------------------------------------------------------------------------------
1 | # Version 8.2.1
2 | #
3 | # Specification for user-seed.conf. Allows configuration of Splunk's
4 | # initial username and password. Currently, only one user can be configured
5 | # with user-seed.conf.
6 | #
7 | # Specification for user-seed.conf. Allows configuration of Splunk's initial username and password.
8 | # Currently, only one user can be configured with user-seed.conf.
9 | #
10 | # To set the default username and password, place user-seed.conf in
11 | # $SPLUNK_HOME/etc/system/local. You must restart Splunk to enable configurations.
12 | # If the $SPLUNK_HOME/etc/passwd file is present, the settings in this file (user-seed.conf) are not used.
13 | #
14 | # Use HASHED_PASSWORD for a more secure installation. To hash a clear-text password,
15 | # use the 'splunk hash-passwd' command then copy the output to this file.
16 | #
17 | # If a clear text password is set (not recommended) and last character is '\', it should
18 | # be followed by a space for value to be read correctly. Password does not include extra
19 | # space at the end, it is required to ignore the special meaning of backslash in conf file.
20 | #
21 | # http://docs.splunk.com/Documentation/Splunk/latest/Admin/Aboutconfigurationfiles
22 | # To learn more about configuration files (including precedence) please see the documentation
23 | # located at http://docs.splunk.com/Documentation/Splunk/latest/Admin/Aboutconfigurationfiles
24 |
25 | [user_info]
26 | * Default is Admin.
27 |
28 | USERNAME =
29 | * Username you want to associate with a password.
30 | * Default is Admin.
31 |
32 | PASSWORD =
33 | * Password you wish to set for that user.
34 | * Password must meet complexity requirements.
35 |
36 | HASHED_PASSWORD =
37 | * Password hash you wish to set for that user.
38 |
--------------------------------------------------------------------------------
/spec_files/8.2/viewstates.conf.spec:
--------------------------------------------------------------------------------
1 | # Version 8.2.1
2 | #
3 | # This file explains how to format viewstates.
4 | #
5 | # To use this configuration, copy the configuration block into
6 | # viewstates.conf in $SPLUNK_HOME/etc/system/local/. You must restart Splunk
7 | # to enable configurations.
8 | #
9 | # To learn more about configuration files (including precedence) please see
10 | # the documentation located at
11 | # http://docs.splunk.com/Documentation/Splunk/latest/Admin/Aboutconfigurationfiles
12 |
13 | # GLOBAL SETTINGS
14 | # Use the [default] stanza to define any global settings.
15 | # * You can also define global settings outside of any stanza, at the top
16 | # of the file.
17 | # * Each conf file should have at most one default stanza. If there are
18 | # multiple default stanzas, attributes are combined. In the case of
19 | # multiple definitions of the same attribute, the last definition in the
20 | # file wins.
21 | # * If an attribute is defined at both the global level and in a specific
22 | # stanza, the value in the specific stanza takes precedence.
23 |
24 |
25 | [:]
26 | * Auto-generated persistence stanza label that corresponds to UI views
27 | * The is the URI name (not label) of the view to persist
28 | * if = "*", then this viewstate is considered to be 'global'
29 | * The is the unique identifier assigned to this set of
30 | parameters
31 | * = '_current' is a reserved name for normal view
32 | 'sticky state'
33 | * = '_empty' is a reserved name for no persistence,
34 | i.e., all defaults
35 |
36 | . =
37 | * The is the runtime id of the UI module requesting persistence
38 | * The is the setting designated by to persist
39 |
--------------------------------------------------------------------------------
/spec_files/8.2/workload_policy.conf.spec:
--------------------------------------------------------------------------------
1 | # Version 8.2.1
2 | #
3 | ############################################################################
4 | # OVERVIEW
5 | ############################################################################
6 | # This file contains descriptions of the settings that you can use to
7 | # configure search admission control for splunk.
8 | #
9 | # There is a workload_policy.conf file in the $SPLUNK_HOME/etc/system/default/ directory.
10 | # Never change or copy the configuration files in the default directory.
11 | # The files in the default directory must remain intact and in their original
12 | # location.
13 | #
14 | # To set custom configurations, create a new file with the name workload_policy.conf in
15 | # the $SPLUNK_HOME/etc/system/local/ directory. Then add the specific settings
16 | # that you want to customize to the local configuration file.
17 | # For examples, see workload_policy.conf.example. You may need to restart the Splunk instance
18 | # to enable configuration changes.
19 | #
20 | # To learn more about configuration files (including file precedence) see the
21 | # documentation located at
22 | # http://docs.splunk.com/Documentation/Splunk/latest/Admin/Aboutconfigurationfiles
23 | #
24 | # Settings to configure search admission control, including enabling/disabling feature
25 | # and other configurations.
26 |
27 | [search_admission_control]
28 | admission_rules_enabled =
29 | * Determines whether admission rules are applied to searches.
30 | * If set to true, admission rules for pre-filtering searches are applied when a search
31 | is dispatched.
32 | * Default: 0
33 |
--------------------------------------------------------------------------------
/spec_files/9.0/audit.conf.spec:
--------------------------------------------------------------------------------
1 | # Version 9.0.0.1
2 | #
3 | # This file contains possible attributes and values you can use to configure
4 | # auditing in audit.conf.
5 | #
6 | # There is NO DEFAULT audit.conf. To set custom configurations, place an
7 | # audit.conf in $SPLUNK_HOME/etc/system/local/. For examples, see
8 | # audit.conf.example. You must restart Splunk to enable configurations.
9 | #
10 | # To learn more about configuration files (including precedence) please see the
11 | # documentation located at
12 | # http://docs.splunk.com/Documentation/Splunk/latest/Admin/Aboutconfigurationfiles
13 |
14 | # GLOBAL SETTINGS
15 | # Use the [default] stanza to define any global settings.
16 | # * You can also define global settings outside of any stanza, at the top of the file.
17 | # * Each conf file should have at most one default stanza. If there are
18 | # multiple default stanzas, attributes are combined. In the case of multiple
19 | # definitions of the same attribute, the last definition in the file wins.
20 | # * If an attribute is defined at both the global level and in a specific
21 | # stanza, the value in the specific stanza takes precedence.
22 |
23 | queueing =
24 | * Whether or not audit events are sent to the indexQueue.
25 | * If set to "true", audit events are sent to the indexQueue.
26 | * If set to "false", you must add an inputs.conf stanza to tail the
27 | audit log for the events reach your index.
28 | * Default: true
29 |
30 |
--------------------------------------------------------------------------------
/spec_files/9.0/bookmarks.conf.spec:
--------------------------------------------------------------------------------
1 | # Version 9.0.0.1
2 | #
3 | # This file contains possible settings and values for configuring various
4 | # "bookmark" entries to be stored within a Splunk instance.
5 | #
6 | # To add custom bookmarks, place a bookmarks.conf file in
7 | # $SPLUNK_HOME/etc/system/local/ on the Splunk instance.
8 | # configuration content is deployed to a
9 | # given deployment client in serverclass.conf. Refer to
10 | #
11 | # To learn more about configuration files (including precedence), see the
12 | # documentation located at
13 | # http://docs.splunk.com/Documentation/Splunk/latest/Admin/Aboutconfigurationfiles
14 |
15 | [bookmarks_mc:*]
16 | url =
17 | * A bookmark URL that redirects logged-in administrators to other Monitoring
18 | Console instances that may be within their purview. Set this up if you have
19 | administrators who are responsible for the performance and uptime of multiple
20 | Splunk deployments.
21 | * The bookmark appears in the left pane of the Monitoring Console.
22 | * The URL must begin with http:// or https:// and contain 'splunk_monitoring_console'.
23 | * Default: not set
24 |
--------------------------------------------------------------------------------
/spec_files/9.0/datatypesbnf.conf.spec:
--------------------------------------------------------------------------------
1 | # Version 9.0.0.1
2 | #
3 | # This file effects how the search assistant (typeahead) shows the syntax for
4 | # search commands.
5 |
6 | []
7 | * The name of the syntax type you are configuring.
8 | * Follow this field name with one syntax= definition.
9 | * Syntax type can only contain a-z, and -, but cannot begin with -
10 |
11 | syntax =
12 | * The syntax for your syntax type.
13 | * Should correspond to a regular expression describing the term.
14 | * Can also be a or other similar value.
15 |
--------------------------------------------------------------------------------
/spec_files/9.0/default-mode.conf.examples:
--------------------------------------------------------------------------------
1 | # Version 9.0.0.1
2 | #
3 |
4 | # re-enable the udp input on a SplunkLightForwarder
5 |
6 | [pipeline:udp]
7 | disabled = false
8 |
9 | # re-enable the tcp input on a SplunkLightForwarder
10 |
11 | [pipeline:tcp]
12 | disabled = false
13 |
14 |
--------------------------------------------------------------------------------
/spec_files/9.0/deployment.conf.spec:
--------------------------------------------------------------------------------
1 | # Version 9.0.0.1
2 | #
3 | # *** REMOVED; NO LONGER USED ***
4 | #
5 | #
6 | # This configuration file has been replaced by:
7 | # 1.) deploymentclient.conf - for configuring Deployment Clients.
8 | # 2.) serverclass.conf - for Deployment Server server class configuration.
9 | #
10 | #
11 | # Compatibility:
12 | # Splunk 4.x Deployment Server is NOT compatible with Splunk 3.x Deployment Clients.
13 | #
14 |
--------------------------------------------------------------------------------
/spec_files/9.0/global-banner.conf.spec:
--------------------------------------------------------------------------------
1 | # Version 9.0.0.1
2 | #
3 | ############################################################################
4 | # OVERVIEW
5 | ############################################################################
6 | # This file contains descriptions of the settings that you can use to
7 | # configure a global banner at the top of every page in Splunk, above the Splunk bar.
8 | #
9 | # Each stanza controls different search commands settings.
10 | #
11 | # There is a global-banner.conf file in the $SPLUNK_HOME/etc/system/default/ directory.
12 | # Never change or copy the configuration files in the default directory.
13 | # The files in the default directory must remain intact and in their original
14 | # location.
15 | #
16 | # To set custom configurations, create a new file with the name global-banner.conf in
17 | # the $SPLUNK_HOME/etc/system/local/ directory. Then add the specific settings
18 | # that you want to customize to the local configuration file.
19 | # For examples, see global-banner.conf.example. You must restart the Splunk instance
20 | # to enable configuration changes.
21 | #
22 | # To learn more about configuration files (including file precedence) see the
23 | # documentation located at
24 | # http://docs.splunk.com/Documentation/Splunk/latest/Admin/Aboutconfigurationfiles
25 |
26 | [BANNER_MESSAGE_SINGLETON]
27 | * IMPORTANT: It is only possible to declare one global banner. This is the only
28 | stanza that Splunk Web will read.
29 |
30 | global_banner.visible =
31 | * Default: false
32 |
33 | global_banner.message =
34 | * Default: Sample banner notification text. Please replace with your own message.
35 |
36 | global_banner.background_color = [green|blue|yellow|orange|red]
37 | * Default: blue
38 |
39 | global_banner.hyperlink = [http://|https://]
40 | * Default: none
41 |
42 | global_banner.hyperlink_text =
43 | * Default: none
44 |
--------------------------------------------------------------------------------
/spec_files/9.0/instance.cfg.spec:
--------------------------------------------------------------------------------
1 | # Version 9.0.0.1
2 | #
3 | # This file contains the set of attributes and values you can expect to find in
4 | # the SPLUNK_HOME/etc/instance.cfg file; the instance.cfg file is not to be
5 | # modified or removed by user. LEAVE THE instance.cfg FILE ALONE.
6 | #
7 |
8 | #
9 | # GLOBAL SETTINGS
10 | # The [general] stanza defines global settings.
11 | #
12 | [general]
13 |
14 | guid =
15 | * This setting formerly (before 5.0) belonged in the [general] stanza of
16 | server.conf file.
17 |
18 | * Splunk expects that every Splunk instance will have a unique string for this
19 | value, independent of all other Splunk instances. By default, Splunk will
20 | arrange for this without user intervention.
21 |
22 | * Currently used by (not exhaustive):
23 | * Clustering environments, to identify participating nodes.
24 | * Splunk introspective searches (Splunk on Splunk, Deployment Monitor,
25 | etc.), to identify forwarders.
26 |
27 | * At startup, the following happens:
28 |
29 | * If server.conf has a value of 'guid' AND instance.cfg has no value of
30 | 'guid', then the value will be erased from server.conf and moved to
31 | instance.cfg file.
32 |
33 | * If server.conf has a value of 'guid' AND instance.cfg has a value of
34 | 'guid' AND these values are the same, the value is erased from
35 | server.conf file.
36 |
37 | * If server.conf has a value of 'guid' AND instance.cfg has a value of 'guid'
38 | AND these values are different, startup halts and error is shown. Operator
39 | must resolve this error. We recommend erasing the value from server.conf
40 | file, and then restarting.
41 |
42 | * If you are hitting this error while trying to mass-clone Splunk installs,
43 | please look into the command 'splunk clone-prep-clear-config';
44 | 'splunk help' has help.
45 |
46 | * See http://www.ietf.org/rfc/rfc4122.txt for how a GUID (a.k.a. UUID) is
47 | constructed.
48 |
49 | * The standard regexp to match an all-uppercase GUID is
50 | "[0-9A-F]{8}-[0-9A-F]{4}-[0-9A-F]{4}-[0-9A-F]{4}-[0-9A-F]{12}".
51 |
--------------------------------------------------------------------------------
/spec_files/9.0/literals.conf.spec:
--------------------------------------------------------------------------------
1 | # Version 9.0.0.1
2 | #
3 | # This file and all forms of literals.conf are now deprecated.
4 | # Instead, use the messages.conf file which is documented
5 | # at "Customize Splunk Web messages" in the Splunk documentation.
6 |
--------------------------------------------------------------------------------
/spec_files/9.0/livetail.conf.examples:
--------------------------------------------------------------------------------
1 | # Version 9.0.0.1
2 | #
3 | # ** FOR USE IN SPLUNK LIGHT ONLY
4 | #
5 | # This file contains the settings and keywords available for the Splunk Livetail feature.
6 | # The livetail.conf isn't necessary to use Livetail but is used as a storage
7 | # of any keywords and the settings for each keyword.
8 | #
9 | # There is a default livetail.conf in $SPLUNK_HOME/etc/system/default that is
10 | # is used to include the 3 default sounds for each keyword.
11 | #
12 | # To learn more about configuration files (including precedence) see the
13 | # documentation located at
14 | # http://docs.splunk.com/Documentation/Splunk/latest/Admin/Aboutconfigurationfiles
15 | #
16 | # GLOBAL SETTINGS
17 | # Use the [default] stanza to define any global settings.
18 | # * You can also define global settings outside of any stanza, at the top of
19 | # the file.
20 | # * If an attribute is defined at both the global level and in a specific
21 | # stanza, the value in the specific stanza takes precedence.
22 | # * There will be 3 default sounds (sound-ding, sound-airhorn, sound-alarm) in base64 encoding.
23 | # They will be included as defaults for any keywords as a map for the sound a user chooses.
24 |
25 |
26 | sound-ding = SUQzBAAAAA
27 | sound-airhorn = SUQzBAAAAAE
28 | sound-alarm = SUQzBAAAAAEFd
29 |
30 | [keyword-id-1234]
31 | threshold = 450
32 | playsound = 0
33 | sound = horn
34 | flash = false
35 | enabled = 1
36 | keyphrase = GET
37 | color = 0xFFF
38 |
--------------------------------------------------------------------------------
/spec_files/9.0/migration.conf.spec:
--------------------------------------------------------------------------------
1 | # Version 9.0.0.1
2 | #
3 | # This file maintains the migration status in Splunk Enterprise.
4 | #
5 | # Splunk Enterprise automatically generates the configurations in
6 | # this file during a migration.
7 | # Do not edit any configurations in this file unless instructed to by
8 | # Splunk support.
9 | #
10 | # There is no global, default migration.conf. When migrating between certain
11 | # versions of Splunk Enterprise, Splunk will perform migration actions that
12 | # must only be executed once. To ensure these actions are not performed during
13 | # any subsequent migration, Splunk will create a migration.conf to record
14 | # whether or not particular migration actions have taken place.
15 | #
16 | # To learn more about configuration files (including precedence) please see the
17 | # documentation located at
18 | # http://docs.splunk.com/Documentation/Splunk/latest/Admin/Aboutconfigurationfiles
19 |
--------------------------------------------------------------------------------
/spec_files/9.0/passwords.conf.spec:
--------------------------------------------------------------------------------
1 | # Version 9.0.0.1
2 | #
3 | # This file maintains the credential information for a given app in Splunk Enterprise.
4 | #
5 | # There is no global, default passwords.conf. Instead, anytime a user creates
6 | # a new user or edit a user onwards hitting the storage endpoint
7 | # will create this passwords.conf file which gets replicated
8 | # in a search head clustering enviornment.
9 | # Note that passwords.conf is only created from 6.3.0 release.
10 | #
11 | # You must restart Splunk Enterprise to reload manual changes to passwords.conf.
12 | #
13 | # To learn more about configuration files (including precedence) please see the
14 | # documentation located at
15 | # http://docs.splunk.com/Documentation/Splunk/latest/Admin/Aboutconfigurationfiles
16 |
17 |
18 | [credential:::]
19 | password =
20 | * The password that corresponds to the given username for the given realm.
21 | * NOTE: The realm is optional.
22 | * The password can be in clear text, however when saved from splunkd the
23 | password will always be encrypted.
24 |
--------------------------------------------------------------------------------
/spec_files/9.0/procmon-filters.conf.spec:
--------------------------------------------------------------------------------
1 | # Version 9.0.0.1
2 | #
3 | # *** DEPRECATED ***
4 | #
5 | #
6 | # This file contains potential attribute/value pairs to use when configuring
7 | # Windows registry monitoring. The procmon-filters.conf file contains the
8 | # regular expressions you create to refine and filter the processes you want
9 | # Splunk to monitor. You must restart Splunk to enable configurations.
10 | #
11 | # To learn more about configuration files (including precedence) please see the
12 | # documentation located at
13 | # http://docs.splunk.com/Documentation/Splunk/latest/Admin/Aboutconfigurationfiles
14 |
15 | #### find out if this file is still being used.
16 |
17 | []
18 | * The name of the filter being defined.
19 |
20 | proc =
21 | * A regular expression that specifies process image that you want
22 | the Splunk platform to monitor.
23 | * No default.
24 |
25 | type =
26 | * A regular expression that specifies the type(s) of process events
27 | that you want the Splunk platform to monitor.
28 | * No default
29 |
30 | hive =
31 | * Not used in this context, but should always have value ".*"
32 |
--------------------------------------------------------------------------------
/spec_files/9.0/source-classifier.conf.spec:
--------------------------------------------------------------------------------
1 | # Version 9.0.0.1
2 | #
3 | # This file contains all possible options for configuring settings for the
4 | # file classifier in source-classifier.conf.
5 | #
6 | # There is a source-classifier.conf in $SPLUNK_HOME/etc/system/default/ To
7 | # set custom configurations, place a source-classifier.conf in
8 | # $SPLUNK_HOME/etc/system/local/. For examples, see
9 | # source-classifier.conf.example. You must restart Splunk to enable
10 | # configurations.
11 | #
12 | # To learn more about configuration files (including precedence) please see
13 | # the documentation located at
14 | # http://docs.splunk.com/Documentation/Splunk/latest/Admin/Aboutconfigurationfiles
15 |
16 |
17 | ignored_model_keywords =
18 | * Terms to ignore when generating a sourcetype model.
19 | * To prevent sourcetype "bundles/learned/*-model.xml" files from containing
20 | sensitive terms (e.g. "bobslaptop") that occur very frequently in your
21 | data files, add those terms to ignored_model_keywords.
22 |
23 | ignored_filename_keywords =
24 | * Terms to ignore when comparing a new sourcename against a known
25 | sourcename, for the purpose of classifying a source.
26 |
27 |
--------------------------------------------------------------------------------
/spec_files/9.0/sourcetypes.conf.spec:
--------------------------------------------------------------------------------
1 | # Version 9.0.0.1
2 | #
3 | # NOTE: sourcetypes.conf is a machine-generated file that stores the document
4 | # models used by the file classifier for creating source types.
5 |
6 | # Generally, you should not edit sourcetypes.conf, as most attributes are
7 | # machine generated. However, there are two attributes which you can change.
8 | #
9 | # There is a sourcetypes.conf in $SPLUNK_HOME/etc/system/default/ To set custom
10 | # configurations, place a sourcetypes..conf in $SPLUNK_HOME/etc/system/local/.
11 | # For examples, see sourcetypes.conf.example. You must restart Splunk to enable
12 | # configurations.
13 | #
14 | # To learn more about configuration files (including precedence) please see the
15 | # documentation located at
16 | # http://docs.splunk.com/Documentation/Splunk/latest/Admin/Aboutconfigurationfiles
17 |
18 | # GLOBAL SETTINGS
19 | # Use the [default] stanza to define any global settings.
20 | # * You can also define global settings outside of any stanza, at the top of
21 | # the file.
22 | # * Each conf file should have at most one default stanza. If there are
23 | # multiple default stanzas, attributes are combined. In the case of
24 | # multiple definitions of the same attribute, the last definition in the
25 | # file wins.
26 | # * If an attribute is defined at both the global level and in a specific
27 | # stanza, the value in the specific stanza takes precedence.
28 |
29 |
30 | _sourcetype =
31 | * Specifies the sourcetype for the model.
32 | * Change this to change the model's sourcetype.
33 | * Future sources that match the model will receive a sourcetype of this new
34 | name.
35 |
36 | _source =
37 | * Specifies the source (filename) for the model.
38 |
--------------------------------------------------------------------------------
/spec_files/9.0/tags.conf.spec:
--------------------------------------------------------------------------------
1 | # Version 9.0.0.1
2 | #
3 | # This file contains possible attribute/value pairs for configuring tags. Set
4 | # any number of tags for indexed or extracted fields.
5 | #
6 | # There is no tags.conf in $SPLUNK_HOME/etc/system/default/. To set custom
7 | # configurations, place a tags.conf in $SPLUNK_HOME/etc/system/local/. For
8 | # examples, see tags.conf.example. You must restart Splunk software to enable
9 | # configurations.
10 | #
11 | # To learn more about configuration files (including precedence) please see the
12 | # documentation located at
13 | # http://docs.splunk.com/Documentation/Splunk/latest/Admin/Aboutconfigurationfiles
14 |
15 | [