App directory structure
If you do much beyond
building searches and dashboards, sooner or later you will need to edit files in the filesystem directly. All apps live in $SPLUNK_HOME/etc/apps/. On Unix systems, the default installation directory is /opt/splunk. On Windows, the default installation directory is c:\Program Files\Splunk. This is the value that $SPLUNK_HOME will inherit on startup.
Stepping through the most common directories, we have:
appserver: This directory contains files that are served by the Splunk web app. The files that we uploaded in earlier sections of this chapter are stored inappserver/static.bin: This is where command scripts belong. These scripts are then referenced incommands.conf. This is also a common location for scripted inputs to live, though they can live anywhere.defaultandlocal: These two directories contain the vast majority of the configurations that make up an app. We will discuss these configurations and how they merge in Chapter 10, Configuring...
