I am new to splunk and trying to find answer to question. I would really appreciate if you could guide me to good documentation or Link.
In short, everything in /opt/splunk/etc/system/default
and if it's an app / add-on, anything in /opt/splunk/etc/apps/<app_name>/default
is changed or adjusted. This is the primary reason for making any customizations in the /local
directory in either an app, or the CORE component. (This is assuming a non clustered deployment)
if you make changes in a /default
directory, they will be overwritten on upgrade.
In short, everything in /opt/splunk/etc/system/default
and if it's an app / add-on, anything in /opt/splunk/etc/apps/<app_name>/default
is changed or adjusted. This is the primary reason for making any customizations in the /local
directory in either an app, or the CORE component. (This is assuming a non clustered deployment)
if you make changes in a /default
directory, they will be overwritten on upgrade.