Understanding splunk configuration files | How to configure splunk?
Splunk configuration files are the main brains behind splunk working. Splunk configuration files contains Splunk configuration information. Splunk configuration files controls behavior of splunk. These files are available on splunk server with extension .conf and easily readable and editable if you have appropriate access. Whatever changes we make through GUI seats in .conf files.Most of the time GUI does not offer full functionalities in that case we can achieve them through editing parameters in related .conf files.There can be multiple .conf files with same name. Configuration files are stored in a number of directories, including $SPLUNK_HOME/etc/system/default (Do not touch them as they contain default configurations).Configuration files in $SPLUNK_HOME/etc/system/local, and $SPLUNK_HOME/etc/apps/ can be edited as per our need. we can create different folders in local folder as per apps or technologies.We must restart or debug refresh splunk after editing .conf file to apply new changes to splunk.You don't need to remeber all of them but at least you should be familiar about which file conains what configuration settings.
Below is the list of all splunk configuration files and their short description.We will study frequently used configuration files in detail in next chapters.
alert_actions.conf >> This file contains different configuration settings related to splunk alerts.You can edit this file to configure alert actions for saved searches.For example we can set alert file format pdf|csv|mail,email settings through editing parameters in this file.
app.conf >> used to Configure your custom app.Configure properties like visibility,ownership etc for your custom application.
audit.conf >> Configure auditing and event hashing. .Use this file to configure auditing and event hashing.
authentication.conf >> authentication.conf is used to configure LDAP and Scripted authentication in addition to Splunk's native authentication
authorize.conf >> Configure roles, including granular access controls.Use this file to configure roles and capabilities for your splunk users and admins
commands.conf >> Connect search commands to any custom search script.
crawl.conf >> Configure crawl to find new data sources.
default.meta.conf >> A template file for use in creating app-specific default.meta files.
deploymentclient.conf >> Specify behavior for clients of the deployment server.
distsearch.conf >> Specify behavior for distributed search.
eventdiscoverer.conf >> Set terms to ignore for typelearner (event discovery).
event_renderers.conf >> Configure event-rendering properties.
eventtypes.conf >> Create event type definitions.
fields.conf >> Create multivalue fields and add search capability for indexed fields.
indexes.conf >> Manage and configure index settings.
inputs.conf >> Set up data inputs.
instance.cfg.conf >> Designate and manage settings for specific instances of Splunk. This can be handy, for example, when identifying forwarders for internal searches.
limits.conf >> Set various limits (such as maximum result size or concurrent real-time searches) for search commands.
literals.conf >> Customize the text, such as search error strings, displayed in Splunk Web.
macros.conf >> Create and use search macros.
multikv.conf >> Configure extraction rules for table-like events (ps, netstat, ls).
outputs.conf >> Set up forwarding behavior.
pdf_server.conf >> Configure the Splunk PDF Server. The PDF Server app was deprecated in Splunk Enterprise 6.0. The feature was removed in Splunk Enterprise 6.2.
procmon-filters.conf >> Monitor Windows process data.
props.conf >> Set indexing property configurations, including timezone offset, custom source type rules, and pattern collision priorities. Also, map transforms to event properties.
pubsub.conf >> Define a custom client of the deployment server.
restmap.conf >> Create custom REST endpoints.
savedsearches.conf >> Define ordinary reports, scheduled reports, and alerts.
searchbnf.conf >> Configure the search assistant.
segmenters.conf >> Configure segmentation.
server.conf >> Enable SSL for Splunk's back-end (communications between Splunkd and Splunk Web) and specify certification locations.
serverclass.conf >> Define deployment server classes for use with deployment server.
serverclass.seed.xml.conf >> Configure how to seed a deployment client with apps at start-up time.
source-classifier.conf >> Terms to ignore (such as sensitive data) when creating a source type.
sourcetypes.conf >> Machine-generated file that stores source type learning rules.
tags.conf >> Configure tags for fields.
tenants.conf >> Configure deployments in multi-tenant environments (deprecated).
times.conf >> Define custom time ranges for use in the Search app.
transactiontypes.conf >> Add additional transaction types for transaction search.
transforms.conf >> Configure regex transformations to perform on data inputs. Use in tandem with props.conf.
user-seed.conf >> Set a default user and password.
viewstates.conf >> Use this file to set up IU views (such as charts) in Splunk.
web.conf >> Configure Splunk Web, enable HTTPS.
wmi.conf >> Set up Windows management instrumentation (WMI) inputs.
workflow_actions.conf >> Configure workflow actions.
In case of conflict over same parameter in .conf files at different locations then below is the default priority which will over ride configuration:
1. System local directory -- highest priority
2. App local directories -- second highest
3. App default directories --third highest
4. System default directory -- lowest priority
Reference : http://docs.splunk.com/Documentation/Splunk/6.2.1/Admin/Listofconfigurationfiles