Where To Find Configuration Files in Splunk

If you’ve added an input, savedsearch, or any manner of other config through the ui, you might have a lot of trouble finding the configuration file later.

If you’re on Unix, the easiest way is to do a search
#/opt/splunk/etc/: egrep -R MySearchName .

If you’re on Windows.. well, frankly I’d download unxutils and do the same.

Or you can look manually! Here are some good places:

It’s easy for this to become a complete mess. I highly recommend creating a standard method for modifying your files. Personally, I make all of my app-specific changes in /opt/splunk/etc/apps/MyApp/default via the file system directly (then hit the refresh endpoint at http://YourServer:8000/en-US/debug/refresh). That allows other admins to make changes if they desire. While it confuses things if they make changes through the UI and it no longer loads my default, it doesn’t risk overwriting my own version. For system changes, I put them all in /opt/splunk/etc/system/local (except for those that need to be in just /system).

This is also a great time to mention the Splunk doc on config file inheritance.

Did I miss any?

