Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- What is the location of Common/Shared/Replicated c...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What is the location of Common/Shared/Replicated configurations for members in a Splunk 6.2 Search Head Cluster on Windows?
I have configured Search Head Clustering in my Distributed Environment which is working Perfectly fine.
I need to know what is the shared location for Search head cluster members from where they share the common configurations. Also if they replicate the configurations, where can I see these configurations in my Search Head Cluster?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
You can see the configuration of your Search Head in this file: distsearch.conf in $SPLUNK_HOME/etc/system/local/ or $SPLUNK_HOME/etc/system/default/
shared storage location for Search head cluster members from where they share the common configurations is the share directory for Search head cluster members. It means that each cluster member must have an access to that directory to prevent the fact that if one search head is defective, others members will done his work. To do so, they replicate the configurations.
That shared storage location is: $SPLUNK_HOME/etc directory
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi NOUMSSI,
Thanks for your Prompt response. Where my saved searches and alerts will get stored? I mean the shared location for them from where other members will pickup those reports, searches, alerts and dashboards ?
Regards,
Sourabh
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes because reports, searches, alerts and dashboards are contained in one or more app(s) and all apps are storaged in the apps directory ($SPLUNK_HOME/etc/apps) wich is a subdirectory of $SPLUNK_HOME/etc.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If your problem is solved, don't forget to accept my answer by clicking on "Accept" below their answer.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
[Puzzles] Solve, Learn, Repeat: Matching cron expressions
Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass
May 2026 Splunk Expert Sessions: Security & Observability
