Solved: Re: Does Splunk ES live entirely within etc/apps?

andrewaalin · ‎06-25-2018

Is there any component that makes Splunk ES tick, which isn't inside the directory etc/apps?

LukeMurphey · ‎06-25-2018

It depends on what you mean. Let me try to explain:

Short answer
ES is indeed composed of a series of apps. In that sense, it is indeed within etc/apps.

Long answer
There are some times in which ES creates files outside of etc/apps. Some examples include:

Log files are made in var/log/splunk
Stash files are made in var/spool/splunk (stash files are created to send event
Lookup editing involves creating temporary lookup files in a shared directory

It is also important to note that apps are sometimes placed outside of etc/apps (for example with apps are placed in the slave-apps directory on indexer clusters).

View solution in original post

LukeMurphey · ‎06-25-2018

It depends on what you mean. Let me try to explain:

Short answer
ES is indeed composed of a series of apps. In that sense, it is indeed within etc/apps.

Long answer
There are some times in which ES creates files outside of etc/apps. Some examples include:

Log files are made in var/log/splunk
Stash files are made in var/spool/splunk (stash files are created to send event
Lookup editing involves creating temporary lookup files in a shared directory

It is also important to note that apps are sometimes placed outside of etc/apps (for example with apps are placed in the slave-apps directory on indexer clusters).

Does Splunk ES live entirely within etc/apps?

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk

Routing logs with Splunk OTel Collector for Kubernetes