Appendix C: Splunk app configuration

A configuration file (or .conf file) contains configuration information for Splunk Enterprise and apps. You can configure settings and processes by editing stanzas within copies of the default configuration files. Stanzas begin with a text string enclosed in brackets and contain one or more configuration parameters defined by key-value pairs.

Global configuration files for Splunk Enterprise are stored at $SPLUNK_HOME/etc/system/, with default files stored in the default folder, and editable local files in the local folder. You store your app's .conf files as follows, where <your_app> indicates your app's directory:

  • Default settings that are not to be edited by users: $SPLUNK_HOME/etc/apps/<your_app>/default/
  • Local settings, where user-modified settings are stored. Ideally, your app will include UI that obfuscates these .conf files from users and prevents them from having to edit them manually. Local files are located at $SPLUNK_HOME/etc/apps/<your_app>/local/

To learn more about configuration files, including how settings precedence is determined based on file placement, see "About configuration files" in the Splunk Enterprise Admin Manual. Every .conf file has a corresponding .spec file, which contains a comprehensive listing of every possible .conf file setting, along with an explanation of each possible value. Global .spec files are located at $SPLUNK_HOME/etc/system/README/, and in the "Configuration file reference." You should include .spec files for each of your app's .conf files inside a README folder at the root level of your app's folder.

The following table lists some common .conf files that are applicable to app development.

.conf file

Description

alert_actions.conf

Configures global alert actions and saved search actions.

app.conf

Maintains the state of an app in Splunk Enterprise and customizes an app's settings. This file only exists within individual app folders, not in the global Splunk Enterprise settings location.

authorize.conf

Roles and granular access controls.

collections.conf

Configures the App Key Value Store (KV Store) collections for a given app in Splunk Enterprise. 

commands.conf

Search commands for any custom search scripts created. You add your custom search script to $SPLUNK_HOME/etc/searchscripts/ or to $SPLUNK_HOME/etc/apps/<your_app>/bin/. For the latter, put a custom commands.conf file in $SPLUNK_HOME/etc/apps/<your_app>. For the former, put the custom commands.conf in $SPLUNK_HOME/etc/system/local/.

datamodels.conf

Configures data models. To configure a data model for your app, put the custom datamodels.conf file in your app's local folder.

default.meta.conf

*.meta files contain ownership information, access controls, and export settings for Splunk Enterprise objects like saved searches, event types, and views. Every app has its own default.meta file.

eventtypes.conf

Configures event types and their properties. You can also pipe any search to the typelearner search command to create event types. Event types created this way will be written to $SPLUNK_HOME/etc/systems/local/eventtypes.conf.

inputs.conf

Configures inputs, distributed inputs such as forwarders, and file system monitoring.

macros.conf

Search language macros.

props.conf

Configures Splunk's processing properties.

savedsearches.conf

Saved search entries. Each saved search is its own stanza.

tags.conf

Configures tags. Set any number of tags for indexed or extracted fields.

transforms.conf

Configures data transformations and event signing.

ui-prefs.conf

UI preferences for a view. A view is a UI that uses Simple XML as the underlying code, such as the search app, dashboards, and forms.