Splunk stores the configuration values in files in the /opt/splunkforwarder directory structure.
Splunk client
| Description |
Location |
| Splunk Deployment server |
/opt/splunkforwarder/etc/system/local/deploymentclient.conf |
| Example |
targetUri = DEPLOYMENT_SERVER_URL:8089
|
|
|
| Splunk Forwarder address |
/opt/splunkforwarder/etc/apps/tcpout-aws/local/outputs.conf |
| Example |
server = FORWARDER1_ADDRESS:9997,FORWARDER2_ADDRESS:9997
|
|
|
| Linux event log. Splunk tails this file. |
/var/log/messages |
| To log a message in the Linux event log |
logger "My message"
|
| To find a message in the Linux event log |
grep "My message" /var/log/messages
|
Splunk server
| Description |
Location |
| Default data directory |
/opt/splunk/var/lib/splunk/defaultdb/ |
| Log location |
/opt/splunk/var/log/splunk/splunkd.log |
Useful Splunk UI searches
To list all indexes
| REST /services/data/indexes | dedup title | sort title | table title