title says it all? does not state clearly in docs like other files such as inputs.conf
sorry, to clarify i meant
etc/apps//default
or
etc/apps//default
so not one of the splunkbase apps or default splunk apps.
The issue with configuring these in ../default/ is that for any standard app distribution (e.g. search), the configuration file will be overwritten by any upgrade or re-install which applies the default configuration. This results in your custom config changes being wiped out.
Common practice is to put it in ../local/ to prevent the above scenario.
thanks, yes as now i have added to my question i only meant my own custom app. not splunk base or default
These are global files so they should stay where they are.
i can see they can both be found in default install app for a windows UF:
splunk\etc\apps\SplunkUniversalForwarder\default\
I dont want to overwrite anything, only add. I would rather add config only in etc/apps/ for large deployment
Yes, the DS/DC case is the one case where it would be distributed in an app context. We, too have several OS-based "base" forwarder apps that have server-wide settings. This is OK because these apps are mutually-exclusive from eachother. The reason it is not a great idea is because precedence will cause your app's version of the file to be preferred over the system's version. In the case we described, this is desirable. In the case of a "regular" app, this could be disastrous and very poor form.
thanks so over all this does work but the idea is to use local rather than default where you are in a splunk base or splunk default app.