Knowledge Management

Does anyone have splunk file structure diagram


Do anyone of you have Splunk directories and file structure diagram with paths to config files similar to the one on the below link

Tags (3)
0 Karma

Splunk Employee
Splunk Employee

Actually, that link may have the diagram you are looking for. I have attached the specific image that I think will be helpful. If you look at bottom portion of the image that starts at $SPLUNK_HOME you can see the file paths to particular apps through the $SPLUNK_HOME/etc/apps path. Each of those apps will have a structure that is similar to the orange and green "$APP_HOME" diagram at the top of the attached picture where you will be able to edit your configuration files for a specific app (in the local directory which is at the right of the diagram).

It is important to remember the precedence of configuration files whenever making changes to them. Below is a link that explains configuration file precedence and a list of both Global configuration files and App/User specific configuration files.

alt text

Not applicable

This is very good.
Thank you @mroman

0 Karma


This helped a lot! thank you!!

0 Karma


Are TAs installed in the same place as Apps? Correct me if wrong, but shouldn't Add-Ons be installed on the indexers and Apps on the Search Heads in a clustered environment?

0 Karma


As usually it depends. If those apps have any views/dashboards then those are installed on sh layer. Usually “apps” (aka TAs) w/o views are installed mainly on heavy forwarded (some time UF or IDX), but I think that there are also times when those are also installed on sh-layer too (e.g. fields definitions),

0 Karma

New Member

My thoughts are that you should read the app/add-on description. The developer must have mentioned how and were to install the app/add-on.

0 Karma


@vrmandadi... Same page has another detailed diagram.

If you want to create a Splunk App you can refer to the following as well:

| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...