Splunk configuration

Splunk stores the configuration values in files in the /opt/splunkforwarder directory structure.

Splunk client

Description Location
Splunk Deployment server /opt/splunkforwarder/etc/system/local/deploymentclient.conf
  Example
targetUri = DEPLOYMENT_SERVER_URL:8089
Splunk Forwarder address /opt/splunkforwarder/etc/apps/tcpout-aws/local/outputs.conf
   Example
server = FORWARDER1_ADDRESS:9997,FORWARDER2_ADDRESS:9997
 Linux event log. Splunk tails this file. /var/log/messages
   To log a message in the Linux event log
logger "My message"
   To find a message in the Linux event log
grep "My message" /var/log/messages

Splunk server

Description Location
Default data directory /opt/splunk/var/lib/splunk/defaultdb/
Log location /opt/splunk/var/log/splunk/splunkd.log

Useful Splunk UI searches

To list all indexes

| REST /services/data/indexes | dedup title | sort title | table title

Leave a comment

Your email address will not be published. Required fields are marked *