Splunk Enterprise Security
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Does Splunk ES live entirely within etc/apps?

andrewaalin
Explorer
‎06-25-2018 10:55 AM

Is there any component that makes Splunk ES tick, which isn't inside the directory etc/apps?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

LukeMurphey
Champion
‎06-25-2018 11:15 AM

It depends on what you mean. Let me try to explain:

Short answer
ES is indeed composed of a series of apps. In that sense, it is indeed within etc/apps.

Long answer
There are some times in which ES creates files outside of etc/apps. Some examples include:

  • Log files are made in var/log/splunk
  • Stash files are made in var/spool/splunk (stash files are created to send event
  • Lookup editing involves creating temporary lookup files in a shared directory

It is also important to note that apps are sometimes placed outside of etc/apps (for example with apps are placed in the slave-apps directory on indexer clusters).

View solution in original post

Reply
Solved! Jump to solution
Solution

LukeMurphey
Champion
‎06-25-2018 11:15 AM

It depends on what you mean. Let me try to explain:

Short answer
ES is indeed composed of a series of apps. In that sense, it is indeed within etc/apps.

Long answer
There are some times in which ES creates files outside of etc/apps. Some examples include:

  • Log files are made in var/log/splunk
  • Stash files are made in var/spool/splunk (stash files are created to send event
  • Lookup editing involves creating temporary lookup files in a shared directory

It is also important to note that apps are sometimes placed outside of etc/apps (for example with apps are placed in the slave-apps directory on indexer clusters).

Reply
Get Updates on the Splunk Community!

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...

Auto-Injector for Everything Else: Making OpenTelemetry Truly Universal

You might have seen Splunk’s recent announcement about donating the OpenTelemetry Injector to the ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...