Splunk Enterprise
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Save/Merge local changes to default

MrLR_02
Explorer
‎04-09-2025 12:22 AM

Hello,

Splunk offers the option of saving changes made in an app via Splunk Web directly to the default directory. By default, Splunk saves all changes made via the Splunk Web interface in the local directory.
Is there a possibility that the changes are saved directly to the default directory?

Some more information about the background of the question:
For my Splunk instances, the config management is done using Gitlab.
All config files in the apps are pushed to the corresponding Splunk instances in the default directory.
When I clone an app to my Dev-Splunk instance and make changes, these are saved in the corresponding local directory. Before I can push the changes to my Prod-Splunk instance via Gitlab, I have to manually copy the changes from local/config files to the default/config files.
This step is quite tedious as soon as it is not just a single config file.

Have any of you already had the same problem and can give me a tip as to whether this is technically possible in Splunk?


best regards
Lukas

Labels (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

livehybrid
SplunkTrust
SplunkTrust
‎04-09-2025 01:55 AM

Hi @MrLR_02 

Splunk does not support saving configuration changes directly to the default directory via Splunk Web; all UI changes are always written to the local directory.

If you want to pull these back in to Git then you have a number of options:

  1. API Calls to download the knowledge objects and store them on a filesystem (and of course optionally commit to Git). This is my current favourite approach and using this with a couple of customers. We are using a customised version of https://github.com/paychex/splunk-python/blob/main/Splunk2Git/Splunk2Git.py which we use within a CICD pipeline to periodically pull down changes from the remote instance and then merge them into local. 
  2. There are Splunkbase apps such as Git Version Control for Splunk which might work well in your scenario - allowing you to sync specific knowledge object types into Git.
  3. There is another app/Python tool called KSConf which is great at merging local content in to default. If you have physical access to your dev environement then you might be able to use this in combination with some scripting to merge content and push it in to Git.

These are just a few ideas and there are others out there, but from my experience have worked well for me in the past. 

🌟 Did this answer help you? If so, please consider:

  • Adding karma to show it was useful
  • Marking it as the solution if it resolved your issue
  • Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

 

View solution in original post

Reply
Solved! Jump to solution
Solution

livehybrid
SplunkTrust
SplunkTrust
‎04-09-2025 01:55 AM

Hi @MrLR_02 

Splunk does not support saving configuration changes directly to the default directory via Splunk Web; all UI changes are always written to the local directory.

If you want to pull these back in to Git then you have a number of options:

  1. API Calls to download the knowledge objects and store them on a filesystem (and of course optionally commit to Git). This is my current favourite approach and using this with a couple of customers. We are using a customised version of https://github.com/paychex/splunk-python/blob/main/Splunk2Git/Splunk2Git.py which we use within a CICD pipeline to periodically pull down changes from the remote instance and then merge them into local. 
  2. There are Splunkbase apps such as Git Version Control for Splunk which might work well in your scenario - allowing you to sync specific knowledge object types into Git.
  3. There is another app/Python tool called KSConf which is great at merging local content in to default. If you have physical access to your dev environement then you might be able to use this in combination with some scripting to merge content and push it in to Git.

These are just a few ideas and there are others out there, but from my experience have worked well for me in the past. 

🌟 Did this answer help you? If so, please consider:

  • Adding karma to show it was useful
  • Marking it as the solution if it resolved your issue
  • Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

 

Reply
Solved! Jump to solution

MrLR_02
Explorer
‎04-09-2025 02:27 AM

Thanks for you Feedback. I think the ksconf App might be the right Solution for my UseCase.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Index This | What travels the world but is also stuck in place?

April 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Realizing the full potential of your Splunk investment requires more than just understanding current usage; it ...

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

As data volumes continue to grow and environments become more distributed, managing and optimizing data ...