Chapter 10. Configuring Splunk
Everything that controls Splunk lives in configuration files sitting in the filesystem of each instance of Splunk. These files are unencrypted, easily readable, and easily editable. Almost all of the work that we have done so far has been accomplished through the web interface, but everything actually ends up in these configuration files.
While the web interface does a lot, there are many options that are not represented in the admin interface. There are also some things that are simply easier to accomplish by editing the files directly.
In this chapter, we will cover:
Locating configuration files
Merging configurations
Debugging configurations
Common configurations and their parameters