Splunk Search

What is the purpose of the file conf.conf found in .../etc/system/default ?


I read 12 questions/answers when searching for conf.conf. I still have no idea of the meaning/purpose of that file. Please help.

Tags (2)
0 Karma

Ultra Champion

The following speaks about the conf.conf - Splunk precedence issue

It explains there the following -

-- $SPLUNK_HOME/etc/system/local takes precedence over any app config (whether local OR default) in $SPLUNK_HOME/etc/apps. If you are using the deployment server, you are best served by not placing any local (site-specific) configs in $SPLUNK_HOME/etc/system/local, since these cannot be overridden by apps sent by the deployment server.

Because of the precedence rules set out in $SPLUNK_HOME/etc/system/default/conf.conf, the behavior that [~rameshlpatel] is observing is correct, even if it's not what's intended.


Yo dawg,
Splunk heard you liked conf, so they put conf.conf in your conf so you they can conf your conf from conf.

Seriously though, the conf.conf file controls configuration precedence in Splunk. It isn't documented very well, because it isn't meant to be modified. I haven't really messed with it much (nor do I recommend doing so), but here is a fun tip to see the configuration file precedence in Splunk:

grep conf conf.conf | grep ­‐v confdb
Get Updates on the Splunk Community!

Observability | How to Think About Instrumentation Overhead (White Paper)

Novice observability practitioners are often overly obsessed with performance. They might approach ...

Cloud Platform | Get Resiliency in the Cloud Event (Register Now!)

IDC Report: Enterprises Gain Higher Efficiency and Resiliency With Migration to Cloud  Today many enterprises ...

The Great Resilience Quest: 10th Leaderboard Update

The tenth leaderboard update (11.23-12.05) for The Great Resilience Quest is out >> As our brave ...