I inherited a Splunk installation and I'm a little confused about the app directories in $SPLUNK_HOME/etc (I'm sure its probably answered in docs.splunk.com, and I've looked but I can't seem to find where this might be documented)
(1) I have both a standalone Splunk installation and an installation with a cluster manager. In each installation there is an "apps", "deployment-apps", "master-apps" and "system" directory in $SPLUNK_HOME/etc. When would I use each specific directory?
(2) Within "apps", "deployment-apps", and "master-apps", there are directories (that have the standard default/local/metadata subdirectories) called IA-appname and TA-appname where appname is something like "shibboleth" for data forwarded from Shibboleth servers. What goes in the IA dirs and what goes in the TA dirs?
(3) Is there a way (either CLI or Web GUI) to determine if the changes I've made or IA/TA subdirectories I've created have been incorporated into the Splunk configuration?
Thanks for any help/suggestions/links you can offer.
Mike
... View more