Solved: Does Splunk ES live entirely within etc/apps?

andrewaalin · ‎06-25-2018

Is there any component that makes Splunk ES tick, which isn't inside the directory etc/apps?

LukeMurphey · ‎06-25-2018

It depends on what you mean. Let me try to explain:

Short answer
ES is indeed composed of a series of apps. In that sense, it is indeed within etc/apps.

Long answer
There are some times in which ES creates files outside of etc/apps. Some examples include:

Log files are made in var/log/splunk
Stash files are made in var/spool/splunk (stash files are created to send event
Lookup editing involves creating temporary lookup files in a shared directory

It is also important to note that apps are sometimes placed outside of etc/apps (for example with apps are placed in the slave-apps directory on indexer clusters).

View solution in original post

LukeMurphey · ‎06-25-2018

It depends on what you mean. Let me try to explain:

Short answer
ES is indeed composed of a series of apps. In that sense, it is indeed within etc/apps.

Long answer
There are some times in which ES creates files outside of etc/apps. Some examples include:

Log files are made in var/log/splunk
Stash files are made in var/spool/splunk (stash files are created to send event
Lookup editing involves creating temporary lookup files in a shared directory

It is also important to note that apps are sometimes placed outside of etc/apps (for example with apps are placed in the slave-apps directory on indexer clusters).

Does Splunk ES live entirely within etc/apps?

Splunk Cloud | Empowering Splunk Administrators with Admin Config Service (ACS)

Tech Talk | One Log to Rule Them All

Splunk Security Content for Threat Detection & Response, Q1 Roundup