Splunk Search

What is the purpose of the file conf.conf found in .../etc/system/default ?


I read 12 questions/answers when searching for conf.conf. I still have no idea of the meaning/purpose of that file. Please help.

Tags (2)
0 Karma

Ultra Champion

The following speaks about the conf.conf - Splunk precedence issue

It explains there the following -

-- $SPLUNK_HOME/etc/system/local takes precedence over any app config (whether local OR default) in $SPLUNK_HOME/etc/apps. If you are using the deployment server, you are best served by not placing any local (site-specific) configs in $SPLUNK_HOME/etc/system/local, since these cannot be overridden by apps sent by the deployment server.

Because of the precedence rules set out in $SPLUNK_HOME/etc/system/default/conf.conf, the behavior that [~rameshlpatel] is observing is correct, even if it's not what's intended.


Yo dawg,
Splunk heard you liked conf, so they put conf.conf in your conf so you they can conf your conf from conf.

Seriously though, the conf.conf file controls configuration precedence in Splunk. It isn't documented very well, because it isn't meant to be modified. I haven't really messed with it much (nor do I recommend doing so), but here is a fun tip to see the configuration file precedence in Splunk:

grep conf conf.conf | grep ­‐v confdb
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!