Are you a member of the Splunk Community?
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Splunk Docker - Which is the right folder for prop...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Splunk Docker - Which is the right folder for props.conf (and other config files)
Hi,
I have found several locations with a props.conf in my Docker splunk:8.2 image:
./opt/splunk/etc/apps/legacy/default/props.conf
./opt/splunk/etc/apps/search/local/props.conf
./opt/splunk/etc/apps/search/default/props.conf
./opt/splunk/etc/apps/splunk_internal_metrics/default/props.conf
./opt/splunk/etc/apps/splunk_monitoring_console/default/props.conf
./opt/splunk/etc/apps/sample_app/default/props.conf
./opt/splunk/etc/apps/SplunkLightForwarder/default/props.conf
./opt/splunk/etc/apps/splunk_archiver/default/props.conf
./opt/splunk/etc/apps/splunk_secure_gateway/default/props.conf
./opt/splunk/etc/apps/splunk_rapid_diag/default/props.conf
./opt/splunk/etc/apps/splunk_instrumentation/default/props.conf
./opt/splunk/etc/apps/learned/local/props.conf
./opt/splunk/etc/system/default/props.conf
I noticed, when I add a sourcetype in splunk Enterprise web interface (Settings -> sourcetypes) they will be saved in two locations:
apps/search/local/props.conf
apps/search/metadata/local.meta
I was just wondering, if any of these two would be right location to copy a manually configured props.conf file, or if I should rather add it to /opt/splunk/etc/system/default/props.conf instead?
Thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi! Never modify anything in the default directories! These can be used as a baseline to make configuration changes in the local directories however.
Generally, Splunk doesn't mind where you make changes at.
Most configuration changes made through the web UI will make changes in the /opt/splunk/etc/system/local/ directory OR the apps/search/local/props.conf as you saw.
In practice, most Splunk admins prefer to have an app (located in /opt/splunk/etc/apps/) to manage their configurations. This makes it easy to install those apps to other Splunk servers.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you @Stefanie
Great input, I have read about the concepts of creating an app for configuration in another post but I am not yet at that stage 🙂 I am still experimenting how to correctly getting the data in and then how to make reports for that. But I will keep that in mind and will try to figure that out once I am more familiar with the basics.
Best,
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You may have already read this, but this talks about it more in depth:
https://docs.splunk.com/Documentation/Splunk/8.2.3/Admin/Configurationfiledirectories
What the End of Support for Splunk Add-on Builder Means for You
Solve, Learn, Repeat: New Puzzle Channel Now Live
Building Reliable Asset and Identity Frameworks in Splunk ES
