https://community.splunk.com/t5/Splunk-Enterprise-Security/Does-Splunk-ES-live-entirely-within-etc-apps/m-p/403364#M4628 <P>Is there any component that makes Splunk ES tick, which isn't inside the directory etc/apps?</P> Mon, 25 Jun 2018 17:55:16 GMT andrewaalin 2018-06-25T17:55:16Z https://community.splunk.com/t5/Splunk-Enterprise-Security/Does-Splunk-ES-live-entirely-within-etc-apps/m-p/403364#M4628 <P>Is there any component that makes Splunk ES tick, which isn't inside the directory etc/apps?</P> Mon, 25 Jun 2018 17:55:16 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/Does-Splunk-ES-live-entirely-within-etc-apps/m-p/403364#M4628 andrewaalin 2018-06-25T17:55:16Z https://community.splunk.com/t5/Splunk-Enterprise-Security/Does-Splunk-ES-live-entirely-within-etc-apps/m-p/403365#M4629 <P>It depends on what you mean. Let me try to explain:</P> <P><STRONG>Short answer</STRONG><BR /> ES is indeed composed of a series of apps. In that sense, it is indeed within etc/apps.</P> <P><STRONG>Long answer</STRONG><BR /> There are some times in which ES creates files outside of etc/apps. Some examples include:</P> <UL> <LI>Log files are made in var/log/splunk</LI> <LI>Stash files are made in var/spool/splunk (stash files are created to send event</LI> <LI>Lookup editing involves creating temporary lookup files in a shared directory</LI> </UL> <P>It is also important to note that apps are sometimes placed outside of etc/apps (for example with apps are placed in the slave-apps directory on indexer clusters).</P> Mon, 25 Jun 2018 18:15:23 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/Does-Splunk-ES-live-entirely-within-etc-apps/m-p/403365#M4629 LukeMurphey 2018-06-25T18:15:23Z