Splunk .
conf Files - Descriptions and Examples
inputs.conf
Defines data inputs such as files, directories, TCP/UDP ports, scripts.
Example:
[monitor:///var/log/messages]
sourcetype=syslog
index=os_logs
outputs.conf
Specifies data forwarding to other Splunk instances.
Example:
[tcpout:group1]
server=idx1:9997,idx2:9997
props.conf
Sets how Splunk processes events during indexing (line breaking, timestamps, etc.).
Example:
[source::.../access.log]
TIME_FORMAT=%d/%b/%Y:%H:%M:%S %z
transforms.conf
Defines field extractions, routing, and lookups.
Example:
[extract_field]
REGEX=field=(\w+)
FORMAT=field::$1
indexes.conf
Defines index characteristics (location, retention, etc.).
Example:
[security_logs]
homePath=$SPLUNK_DB/security_logs/db
limits.conf
Controls various Splunk limits, such as concurrent searches.
Example:
[search]
max_searches_per_cpu=4
server.conf
Controls general Splunkd settings like clustering, SSL, and server name.
Example:
[general]
serverName=SplunkServer01
� Splunk .conf Files - Descriptions and Examples
deploymentclient.conf
Configures clients to connect with Deployment Server.
Example:
[deployment-client]
[target-broker:deploymentServer]
server=ds:8089
deploymentserver.conf
Used to configure the Deployment Server and manage clients.
Example:
[serverClass:linux_servers]
whitelist.0=*.linux.local
authorize.conf
Controls user roles and their capabilities.
Example:
[role_admin]
importRoles=user
capabilities=admin_all_objects
authentication.conf
Manages authentication with LDAP, SAML, etc.
Example:
[authentication]
authType=LDAP
web.conf
Controls Splunk Web UI settings like ports and session timeout.
Example:
[settings]
httpport=8000
savedsearches.conf
Contains scheduled searches, alerts, and reports.
Example:
[Report1]
cron_schedule=*/5 * * * *
search=index=_internal
macros.conf
Defines reusable search macros.
Example:
[macro_name]
definition=search index=main | stats count
� Splunk .conf Files - Descriptions and Examples
eventtypes.conf
Defines named search strings for reuse.
Example:
[eventtype=login_errors]
search=sourcetype=auth action=failure
tags.conf
Applies metadata tags to fields or values.
Example:
[eventtype=login_errors]
security=enabled
datamodels.conf
Defines data models used for acceleration and Pivot.
Example:
[Web]
acceleration=true
collections.conf
Defines KV Store collections and fields.
Example:
[my_collection]
fields._key=string
fields.user=string
restmap.conf
Configures custom REST endpoints.
Example:
[script:my_endpoint]
pattern=/custom
clustering.conf
Used in Indexer or SH Clustering setup.
Example:
[clustering]
mode=master
serverclass.conf
Defines deployment server client groups.
Example:
[serverClass:windows]
whitelist.0=*.windows.local
� Splunk .conf Files - Descriptions and Examples
health.conf
Controls health report system for Splunk components.
Example:
[disk]
max_usage_pct=90
telemetry.conf
Manages what telemetry data Splunk shares with Splunk Inc.
Example:
[general]
sendAnonymousUsageData=false
alert_actions.conf
Customizes alert actions such as email, script, webhook.
Example:
[email]
sendresults=true
workflow_actions.conf
Defines actions in search results UI.
Example:
[action]
label=Lookup IP
viewstates.conf
Stores dashboard/view state preferences.
Example:
[view:example_dashboard]
owner=admin
times.conf
Custom time range presets for searches.
Example:
[preset:Last 30 Minutes]
label=Last 30 Minutes
nav.conf
Configures navigation bar in Splunk Web.
Example:
[default]
view=dashboard
panels.conf
� Splunk .conf Files - Descriptions and Examples
Stores reusable panel definitions.
Example:
[panel:traffic_panel]
search=index=web
metrics.conf
Configures ingestion of metrics data.
Example:
[default]
no_indexing=true
log-review.conf
Controls UI behavior for event log review.
Example:
[settings]
show_all_fields=true
