The Config Labyrinth • Room 1

Configuration File Structure

Splunk's behavior is controlled by .conf files located under $SPLUNK_HOME/etc/. The directory structure follows a precedence hierarchy.

System-level configs live in system/default/ (never edit these!) and system/local/ (for your overrides). App-level configs live in apps/<app-name>/default/ and apps/<app-name>/local/.

Splunk merges these layers together, with local/ always winning over default/, and app-level winning over system-level for the current app context.

Golden rule: NEVER modify files in default/ directories. Always create or edit files in local/ directories.

Knowledge Check

Prove your understanding to clear the room (Rewards XP)

❤️❤️❤️

Question 1 of 2

Which directory should you NEVER modify?

Alocal/

Bdefault/

Cbin/

Detc/