Module 4: Splunk Configuration Files Flashcards
1
Q
What are the features of configuration files? (.conf)
A
- Govern aspects of Splunk functionality
- Text files using a generally case-sensitive [stanza] and attribute = value format
- Saved under $SPLUNK_HOME/etc
2
Q
What are the two ways to learn about conf files?
A
- Readme files - $SPLUNK_HOME/etc/system/README
* Spec files on Splunk docs
3
Q
What is a Splunk app?
A
- way of organising configuration files,
- directory under Splunk_home/etc/apps. E.g search and reporting is stored under Splunk_home/etc/apps/search
- an add-on is an app that usually does not contain GUI
4
Q
When editing conf files, it is best practice to only amend the ___ directory.
A
local
5
Q
What is meant by index time?
A
global context, such as input/parsing configuration
6
Q
What is meant by search time?
A
App/user scoped, such as a users knowledge object
7
Q
Name the index-time precedence.
A
- Etc/system/local
- Etc/apps/search/local
- Etc/apps/app1/local
- Etc/apps/search/default
- Etc/apps/app1/default
- Etc/system/default
8
Q
Name the search-time precedence.
A
- Etc/users/john/app1/local
- Etc/apps/app1/local
- Etc/apps/app1/default
- Etc/apps/search/local
- Etc/apps/search/default
- Etc/system/local
- Etc/system/default
9
Q
If two or more apps have conflicting settings, the app directory name with the __ __ order wins.
A
highest ascii
10
Q
How does Splunk merge conf files?
A
- Upon startup, Splunk merges configuration files for each type
- The resulting file combines settings from various directory locations
- Only one file per file type will be used at run time
- If there is a conflict, precedence is applied.
11
Q
What is the btool command?
A
- btool is a Splunk command located in splunk_home/bin. It retrieves the on-disk configuration of a Splunk conf file.
- Syntax = Splunk btool list [options]
- –debug option shows the exact .conf file location
