In short, everything in /opt/splunk/etc/system/default and if it's an app / add-on, anything in /opt/splunk/etc/apps/<app_name>/default is changed or adjusted. This is the primary reason for making any customizations in the /local directory in either an app, or the CORE component. (This is assuming a non clustered deployment)
if you make changes in a /default directory, they will be overwritten on upgrade.
... View more