[global] write_access = true # This enables saving, creating new files/folders, deleting and renaming. This # is obviously very dangerous and just like having filesystem access through # the operating system, will make it very easy to destroy your Splunk # environment if you dont know what you are doing. # Defaults to false run_commands = true # Enables running commands in the shell, with the user that splunk runs as. # Use with caution. # Defaults to false hide_settings = false # Hide the "Settings" link from the home screen. Note that if write_access # is true then settings can still be changed at # etc/apps/config_explorer/local/config_explorer.conf. When the Settings link # is displayed, it can be changed even when write_access is off. To # prevent all editing, set hide_settings = true and write_access = false . # Defaults to false. #max_file_size = 10 # The maximum file size in megabytes that can be opened. # Defaults to 10 cache_file_depth = 2 # Cache the list of files and folders for the left pane to this many levels deep. # This makes navigation much faster (especially on windows) but uses more memory, # causes slightly slower startup, and will not follow symbolic links. Set to 0 to # disable cache but allow caching of visited directories. Set -1 to disable all caching. # Defaults to 5 #conf_validate_on_save = true # Show a green or red indicator in the code gutter of each line if it appears # in the btool list output or not. Note: There are some of edge cases where this # doesn't work properly, so run btool yourself to confirm. # Defaults to true #btool_dir_for_deployment_apps = # If this server is a deployment server, then set this property to a sym-linked copy of the deployment-apps folder. # this will enable the btool gutter-hinting in config files to work with config in the deployment-apps folder # perform these steps to create the sym-linked deployment-apps folder. Note this only works on *nix-based platforms # 1. mkdir /opt/splunk/etc/deployment-apps-for-btool/ # 2. cd /opt/splunk/etc/deployment-apps-for-btool/ # 3. ln -s /opt/splunk/etc/deployment-apps apps # 4. Set this parameter to: btool_dir_for_deployment_apps = /opt/splunk/etc/deployment-apps-for-btool # For more info on why the symlinking process is necissary, please see: https://answers.splunk.com/answers/731787 #btool_dir_for_master_apps = # If this server is a cluster master server, then set this property to a sym-linked copy of the master-apps folder. # this will enable the btool gutter-hinting in config files to work with config in the master-apps folder # perform these steps to create the sym-linked master-apps folder. Note this only works on *nix-based platforms # 1. mkdir /opt/splunk/etc/master-apps-for-btool/ # 2. cd /opt/splunk/etc/master-apps-for-btool/ # 3. ln -s /opt/splunk/etc/master-apps apps # 4. Set this parameter to: btool_dir_for_master_apps = /opt/splunk/etc/master-apps-for-btool # For more info on why the symlinking process is necissary, please see: https://answers.splunk.com/answers/731787 #btool_dir_for_manager_apps = # If this server is a cluster manager server, then set this property to a sym-linked copy of the manager-apps folder. # this will enable the btool gutter-hinting in config files to work with config in the manager-apps folder # perform these steps to create the sym-linked manager-apps folder. Note this only works on *nix-based platforms # 1. mkdir /opt/splunk/etc/manager-apps-for-btool/ # 2. cd /opt/splunk/etc/manager-apps-for-btool/ # 3. ln -s /opt/splunk/etc/manager-apps apps # 4. Set this parameter to: btool_dir_for_manager_apps = /opt/splunk/etc/manager-apps-for-btool # For more info on why the symlinking process is necissary, please see: https://answers.splunk.com/answers/731787 #btool_dir_for_shcluster_apps = # This will enable the btool gutter-hinting in config files to work with config in the shcluster/apps folder # Enable this if the current server is a search head deployer. # There is no need to create a sym-link for this path, however an absolute path to shcluster must be set. # e.g. /opt/splunk/etc/shcluster #git_autocommit = false # Track all file saves by automatically committing them to git with a generic message. # Note you must first configure the git repo using "git init". Please see the documentation. # Autocommitting is a 'best effort' and not guaranteed. # Defaults to false #git_autocommit_show_output = auto # When autocommit is enabled, when should we show the commit log # true = Always show git messages # false = Never show git output # auto = Only show git messages when there is a non-zero status code # Defaults to auto #git_autocommit_dir = # Force specific git repository location, relative to SPLUNK_HOME directory. # Defaults to empty, meaning normal git rules will apply (search up from current directory) #git_autocommit_work_tree = # Force root location from where changes are tracked, relative to SPLUNK_HOME directory # Set to "etc/" to track all changes beneath etc folder. # Defaults to empty, meaning the normal git behavior will apply. #detect_changed_files = true # Check if files that are open have changed on the filesystem and warn if so. # Defaults to true #master_apps_gutter_unnecissary_config_files = # When viewing a config file within a subfolder of the /master-apps/ folder, if it matches this pattern, then a grey indicator # will be shown in the gutter with a tooltip that shows: "In most environments, this property is not needed on indexers". # In many environments the following configs are not desired on Indexers and can be appended: |restmap|web|inputs # Set empty to disable the gray gutter warnings of unnecissary props/transforms config # Default: alert_actions|addon_builder|checklist|collections|datamodels|deploymentclient|distsearch|eventgen|eventtypes|macros|savedsearches|tags|times|wmi|workflow_actions #master_apps_gutter_useful_props_and_transforms = # When viewing a props or transforms config file within a subfolder of the /master-apps/ folder, if the property does not match # this pattern, then a grey indicator will be shown in the gutter with a tooltip that shows: # "In most environments, this property is not needed on indexers". # Set empty to disable grey highlighting in props and transforms # Default: priority|TRUNCATE|LINE_BREAKER|LINE_BREAKER_LOOKBEHIND|SHOULD_LINEMERGE|BREAK_ONLY_BEFORE_DATE|BREAK_ONLY_BEFORE|MUST_BREAK_AFTER|MUST_NOT_BREAK_AFTER|MUST_NOT_BREAK_BEFORE|DATETIME_CONFIG|TIME_PREFIX|MAX_TIMESTAMP_LOOKAHEAD|TIME_FORMAT|TZ|TZ_ALIAS|MAX_DAYS_AGO|MAX_DAYS_HENCE|MAX_DIFF_SECS_AGO|MAX_DIFF_SECS_HENCE|ADD_EXTRA_TIME_FIELDS|METRICS_PROTOCOL|STATSD-DIM-TRANSFORMS|TRANSFORMS|CHECK_FOR_HEADER|SEDCMD|SEGMENTATION|ANNOTATE_PUNCT|description|category|REGEX|FORMAT|MATCH_LIMIT|DEPTH_LIMIT|CLONE_SOURCETYPE|LOOKAHEAD|WRITE_META|DEST_KEY|DEFAULT_VALUE|SOURCE_KEY|REPEAT_MATCH|INGEST_EVAL|REGEX|REMOVE_DIMS_FROM_METRIC_NAME|METRIC #master_apps_gutter_used_sourcetypes = # Have you ever wondered if you have parsing stanzas in master-apps/*/*/props.conf that are not being used in your environment? # Config Explorer can show an indicator in the gutter for stanzas that do not match the pattern defined here. # This does not work on props stanzas like the following "[source::*", "[host::*", "[(*" # Use the below search as an administrator to autmatically create the pattern: # | metadata type=sourcetypes index=* index=_* | fields sourcetype | format "" "" "" "" "" "" | rex mode=sed field=search "s/\"\s+sourcetype=\"/|/g" | rex mode=sed field=search "s/(\s*sourcetype=|\s*$)//g" # Set empty to disable grey highlighting of stanzas that are not used # Defaults to empty #master_apps_gutter_used_sourcetypes_date = # As the above master_apps_gutter_used_sourcetypes pattern is a one-off snapshot in time, this property allows you to know # "how out of date" the above pattern of known sourcetypes is. Must be in the format YYYY-MM-DD # Set this to the current date when the above search is run. # Defaults to empty #debug_refresh_endpoints = # A list of endpoints that will show when you click the button "Debug/refresh endpoint" button on the config explorer home page. Set to a blank string to hide the button. # rest_api_dashboard_list = # Show a new "Splunk REST API" section in the left pane, which allows opening and saving dashboard XML files using the REST API. # Defaults to false #dashboard_xml_file_experimental_actions = # Right-clicking on a dashboard XML file will show options to "Attempt view in browser" and "Attempt edit via REST API". # When using one of these options its importent to understand that the file that opens might not be the exact file that was clicked on. # For example if you click on a XML file in APP/default/data/ui/views/ and there is a file also in APP/local/data/ui/views/, then Splunk # will open the "local" version. Private user dashboards may also take priority. Only enable this option if you understand this well. # Defaults to false ############################################################################ # Custom action hooks # ############################################################################ # Custom hooks create right-click actions for files that match a regular expression # See etc/apps/config_explorer/default/config_explorer.conf for many examples, # and read the .spec file. There are links to both these actions in the right click menu. #[hook:] #match = .* #matchtype = file #showWithSave = false #label = Test #action = run:echo ${BASEFILE} #disabled = false #showWithSave = true #showInPane = both #order = 10 # An example hook showing how to run "git status" on a folder # [hook:git_status] # match = .* # matchtype = folder # label = Git status # action = run:cd ${FILE} && git status # showWithSave = false # when editing .conf files in "deployment-apps", have an option to run btool # this is also useful on search head deployers. See "btool_dirs" above for extra notes. # [hook:btool-deployment-apps-for-btool] # match = /deployment-apps.*(?:local|default)/[^\/]*\.conf$ # label = [deployment-apps-for-btool] Run btool on ${BASEFILE} # action = btool:${BASEFILE}:/opt/splunk/etc/deployment-apps-for-btool # showWithSave = false ############################################################################ # Custom home-tab actions # ############################################################################ # Actions are buttons on the home tab that can be used to run common actions. # the run_commands option must be enabled. Read the spec file for hooks which # uses the same command options. # Examples below: # [action:ftw] # label = Splunk FTW # # Linux # action = run:echo running bin/splunk ftw ; bin/splunk ftw # # Windows # action = run:echo running bin\\splunk ftw ; bin\\splunk ftw # description = ORLY? # disabled = false # order = 10 # [action:reload_deploy_server] # label = Reload deploy-server # # Linux # action = run:./bin/splunk reload deploy-server # # Windows # action = run:bin\\splunk reload deploy-server # order = 20 # Add a home screen button for checking deployment-apps for config errors # see "btool_dirs" above for extra notes. # [action:btool-deployment-apps-for-btool-check] # label = Btool check deployment-apps # action = run:./bin/splunk btool check --dir=/opt/splunk/etc/deployment-apps-for-btool # description = Check for config errors in deployment-apps folder # order = 30 # [action:shc_apply_bundle] # label = Send bundle to search heads # # Linux # action = run:./bin/splunk apply shcluster-bundle -target https://FQDN_OF_A_SEARCH_HEAD:8089 --answer-yes # # Windows # action = run:bin\\splunk apply shcluster-bundle -target https://FQDN_OF_A_SEARCH_HEAD:8089 --answer-yes # order = 20 # [action:idx_apply_bundle] # label = Send bundle to indexers # Linux # action = run:./bin/splunk apply cluster-bundle --answer-yes # Windows # action = run:bin\\splunk apply cluster-bundle --answer-yes # order = 20 # [action:kill_persistant_threads] # # Linux only # label = Kill persistant threads # action = run:echo triggered task to kill threads; nohup sh -c "sleep 2; ps aux | grep \"persistconn\/appserver\" | grep -v \"grep\" | awk '{print \$2}' | xargs kill" >/dev/null 2>&1 & # order = 20 # [action:restart_splunk_web] # # Linux only # label = restart splunk-web # action = run:echo restart splunkweb triggered; nohup sh -c "sleep 2; ./bin/splunk restart splunkweb" >/dev/null 2>&1 & # order = 80 # [action:restart_splunk] # # Linux only # label = restart splunk # action = run-safe:echo restart splunk triggered; nohup sh -c "sleep 2; ./bin/splunk restart" >/dev/null 2>&1 & # order = 90