What is the purpose of the file conf.conf found in...

Thuan · ‎07-23-2016

I read 12 questions/answers when searching for conf.conf. I still have no idea of the meaning/purpose of that file. Please help.

ddrillic · ‎07-24-2016

The following speaks about the conf.conf - Splunk precedence issue

It explains there the following -

-- $SPLUNK_HOME/etc/system/local takes precedence over any app config (whether local OR default) in $SPLUNK_HOME/etc/apps. If you are using the deployment server, you are best served by not placing any local (site-specific) configs in $SPLUNK_HOME/etc/system/local, since these cannot be overridden by apps sent by the deployment server.

Because of the precedence rules set out in $SPLUNK_HOME/etc/system/default/conf.conf, the behavior that [~rameshlpatel] is observing is correct, even if it's not what's intended.

dshpritz · ‎07-23-2016

Yo dawg,
Splunk heard you liked conf, so they put conf.conf in your conf so you they can conf your conf from conf.

Seriously though, the conf.conf file controls configuration precedence in Splunk. It isn't documented very well, because it isn't meant to be modified. I haven't really messed with it much (nor do I recommend doing so), but here is a fun tip to see the configuration file precedence in Splunk:

grep conf conf.conf | grep ‐v confdb

What is the purpose of the file conf.conf found in .../etc/system/default ?

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

Splunk APM: New Product Features + Community Office Hours Recap!

Index This | Forward, I’m heavy; backward, I’m not. What am I?