Module 4 - Config Files

Question 1

Confit folder

Answer 1

SPLUNK_HOME/etc

Question 2

Ways to modify Splunk configuration

Answer 2

Splunk web
Splunk CLI
By editing .conf files

Question 3

Common Splunk config files on Search head

Answer 3

props.conf

Search-time Field Extractions, lookups, etc

Question 4

Common Splunk config files on Indexer

Answer 4

props.conf - parsing

Inputs.conf - What data is collected; Which ports to listen to

Question 5

Common Splunk config files on forwarder

Answer 5

outputs.conf - where to forward data

props.conf - limited parsing

inputs.conf - what data is collected

Question 6

Files in default directories

Answer 6

Files should Never be modified

Make copy to local folder and edit settings

Question 7

Default vs local config

Answer 7

Default is Overwritten on update

Local
- keep my changes
- Preserved on update
- Only modify these versions
- Overrides default setting

Question 8

Merging config files

Answer 8

When Splunk is running it merges config files Into a single run-time model for each
file type
– As a union of all files if no duplicates/conflicts exist
• In case of conflicts priority is based on the context:
– Global context (index-time)
– App/User context (search-time

Question 9

Index time precedence (global context)

Answer 9

1. System local directory
   etc/system/local
2. App local directories*
   etc/apps/appname/local
3. App default directories*
   etc/apps/appname/default
4. System default directory
   etc/system/default

Question 10

Search time precedence (App/User context)

Answer 10

1.Current user directory for app
etc/users/user/appname/local
2. App directory - running app
etc/apps/appname/local
etc/apps/appname/default
3. App directories - all other apps*
etc/apps/appname/local
etc/apps/appname/default
4. System directories
etc/system/local
etc/system/default

Question 11

Setup receiving port

Answer 11

./splunk enable listen 9997 [-app name]

SPLUNK_HOME/etc/apps/app_name/local/inputs.conf
[splunktcp://9997]
connection_host = ip

If no app name specifies it will be defined under search app

Question 12

Index creation

Answer 12

./splunk add index index_name [-app app_name]

SPLUNK_HOME/etc/apps/app_name/local/indexes.conf

[test]
coldPath = $SPLUNK_DB/test/colddb
enableDataIntegrityControl = 0
enableTsidxReduction = 0
homePath = $SPLUNK_DB/test/db
maxTotalDataSizeMB = 512000
thawedPath = $SPLUNK_DB/test/thaweddb

If no app name specified it will be added to search app

Question 13

Which configuration file tells a Splunk instance which data to ingest?

Answer 13

inputs.conf lists data inputs, or in some cases which network ports to listen on for data inputs.

Question 14

What’s the function of outputs.conf

Answer 14

outputs.conf lists where input data should be sent (for example from forwarders to indexers).

Question 15

What’s the function of props.conf

Answer 15

props.conf lists processing properties for data input

Question 16

What brook is used for?

Answer 16

btool is used to verify Splunk configuration on disk

Question 17

How to verify splunk config in memory

Answer 17

use the splunk show config command or REST API.

Question 18

How should an administrator disable the [syslog] stanza attribute TRANSFORMS=syslog-host found in
SPLUNK_HOME/etc/system/default/props.conf?

Answer 18

In …/local/props.conf set TRANSFORMS= (to a blank value) to disable it