List of configuration files
The following is a list of some of the available spec and example files associated with each conf file. Some conf files do not have spec or example files. Contact Support before editing a conf file that does not have an accompanying spec or example file.
Do not edit the default copy of any conf file in $SPLUNK_HOME/etc/system/default/. See How to edit a configuration file.
| File | Purpose |
|---|---|
| agent_management.conf | Configure the Agent Management feature. |
| alert_actions.conf | Create an alert. |
| app.conf | Configure app properties |
| audit.conf | Configure auditing and event hashing. This feature is not available for this release. |
| authentication.conf | Toggle between Splunk's built-in authentication or LDAP, and configure LDAP. |
| authorize.conf | Configure roles, including granular access controls. |
| bookmarks.conf | Bookmark monitoring console URLs. |
| checklist.conf | Customize monitoring console health check. |
| collections.conf | Configure KV Store collections for apps. |
| commands.conf | Create custom search commands for apps in Splunk Cloud Platform or Splunk Enterprise using in the Developer Guide on the Developer Portal. |
| datamodels.conf | Attribute/value pairs for configuring data models. |
| default.meta | Set permissions for objects in a Splunk app. |
| deploymentclient.conf | Specify behavior for clients of the deployment server. |
| distsearch.conf | Specify behavior for distributed search. |
| event_renderers.conf | Configure event-rendering properties. |
| eventtypes.conf | Create event type definitions. |
| federated.conf | Search data outside of your own Splunk platform deployment. |
| fields.conf | Create multivalue fields and add search capability for indexed fields. |
| global-banner.conf | Display a global banner on all pages in Splunk Web. |
| health.conf | Set the default thresholds for proactive Splunk component monitoring. |
| indexes.conf | Manage and configure index settings. |
| inputs.conf | Set up data inputs. |
| instance.cfg | Designate and manage settings for specific instances of Splunk. This can be handy, for example, when identifying forwarders for internal searches. |
| limits.conf | Set various limits (such as maximum result size or concurrent real-time searches) for search commands. |
| literals.conf | Customize the text, such as search error strings, displayed in Splunk Web. |
| macros.conf | Define search macros in Settings. |
| messages.conf | Customize Splunk Web messages. |
| metric_rollups.conf | Set attribute/value pairs for metric rollup policy entries. |
| multikv.conf | Configure extraction rules for table-like events (ps, netstat, ls). |
| outputs.conf | Set up forwarding behavior. |
| passwords.conf | Maintain the credential information for an app. |
| procmon-filters.conf | Monitor Windows process data. |
| props.conf | Set indexing property configurations, including timezone offset, custom source type rules, and pattern collision priorities. Also, map transforms to event properties. |
| pubsub.conf | Define a custom client of the deployment server. |
| restmap.conf | Create custom REST endpoints. |
| rolling_upgrade.conf | Set up configurations for an automated search head cluster rolling upgrade or an automated indexer cluster rolling upgrade. |
| savedsearches.conf | Define ordinary reports, scheduled reports, and alerts. |
| searchbnf.conf | Configure the search assistant. |
| segmenters.conf | Configure segmentation. |
| server.conf | Contains a variety of settings for configuring the overall state of a Splunk Enterprise instance. For example, the file includes settings for enabling SSL, configuring nodes of an indexer cluster or a search head cluster, configuring KV store, and setting up a license manager. |
| serverclass.conf | Define deployment server classes for use with deployment server. |
| serverclass.seed.xml.conf | Configure how to seed a deployment client with apps at start-up time. |
| source-classifier.conf | Terms to ignore (such as sensitive data) when creating a source type. |
| sourcetypes.conf | Machine-generated file that stores source type learning rules. |
| tags.conf | Configure tags for fields. |
| telemetry.conf | Enable apps to collect telemetry data about app usage and other properties. |
| times.conf | Define custom time ranges for use in the Search app. |
| transactiontypes.conf | Add additional transaction types for transaction search. |
| transforms.conf | Configure regex transformations to perform on data inputs. Use in tandem with props.conf. |
| ui-prefs.conf | Change UI preferences for a view. Includes changing the default earliest and latest values for the time range picker. |
| user-prefs.conf | Configure settings on a per-user basis for use by Splunk Web. |
| user-seed.conf | Set a default user and password. |
| visualizations.conf | List the visualizations that an app makes available to the system. |
| viewstates.conf | Use this file to set up UI views (such as charts). |
| web.conf | Configure Splunk Web, enable HTTPS. |
| web-features.conf | Configure some Splunk Web settings. |
| wmi.conf | Set up Windows management instrumentation (WMI) inputs. |
| workflow_actions.conf | Configure workflow actions. |
| workload_policy.conf | Enable or disable admission rules in workload management. |
| workload_pools.conf | Configure workload pools (compute and memory resource groups) that you can assign to searches in workload management. |
| workload_rules.conf | Configure workload rules to define access and priority for workload pools in workload management. |
Last modified on 03 April, 2025
| When to restart Splunk Enterprise after a configuration file change | Configuration parameters and the data pipeline |
This documentation applies to the following versions of Splunk® Enterprise: 9.4.0, 9.4.1
Download manual 
Feedback submitted, thanks!