List of ITE Work configuration files
The following is a list of Splunk IT Essentials Work configuration files. All files are located under $SPLUNK_HOME/etc/apps/. Most .conf files have accompanying spec and example files located in the README folder that list all supporting attributes. Contact Support before editing a conf file that does not have an accompanying spec or example file.
If you are using Splunk Cloud, you can't edit a .conf file directly. For any task that requires editing a .conf file, submit a ticket using the Support Portal and Splunk Support will work with you to arrange a maintenance window.
CAUTION: Never change or copy the configuration files in the default directory. Default files must remain intact and in their original location. The upgrade process overwrites the default directory, so any changes that you make in the default directory are lost on upgrade. Create and edit your files in a local directory, for example
$SPLUNK_HOME/etc/apps/<app_name>/local. Local directories are not overwritten during upgrades. For more information, see Configuration file directories in the Admin manual for Splunk Enterprise. Note: Because Splunk IT Essentials Work is a free version of Splunk IT Service Intelligence, it uses many of the same configuration files. Clicking on links in the following table will open configuration file descriptions in the ITSI documentation. If a configuration file does not apply to the most recent version of ITSI or ITE Work, a banner notice at the top of the page for that configuration file says so.
| File | Purpose | ITSI Location |
|---|---|---|
| alert_actions.conf | Generate ITSI notable events and configure episode actions. | /SA-ITOA/default |
| alert_actions.conf | Summarize KPI searches into the ITSI summary index. | /itsi/default |
| authorize.conf | Configure ITSI-specific roles and capabilities, including role-based access controls. Always use /itsi/default. For more information, see Grant and revoke user permissions in ITSI. | /itsi/default |
| collections.conf | Configure KV store collections for ITSI. | /SA-ITOA/default |
| commands.conf | Connect search commands to any custom search script. | /SA-ITOA/default |
| datamodels.conf | Attribute/value pairs for configuring data models. | /DA-ITSI-APPSERVER/default /DA-ITSI-LB/default /DA-ITSI-VIRTUALIZATION/default |
| deep_dive_drilldowns.conf | Configure deep dive drilldowns, add new drilldowns. | /itsi/default |
| itsi_entity_type.conf | Upload sample entity types to the KV store. For more information, see Create custom entity types in ITSI. | /SA-ITOA/default |
| distsearch.conf | Specify behavior for distributed search. Group search peers to facilitate searching on a subset of peers. | /SA-ITOA/default |
| drilldownsearch_offset.conf | Configure time range picker presets for correlation search drilldown offsets. | /itsi/default |
| fields.conf | Create multi-value fields and add search capability for indexed fields. | /itsi/default |
| glasstable_icon_library.conf | Add and remove icons from the glass table icon library. | /itsi/default |
| inputs.conf | Set up data inputs. | /SA-ITOA/default/itsi/default |
| itsi_da.conf | (Deprecated) Configure an app to export entity searches and service templates for use within ITSI. | /SA-ITOA/default |
| itsi_data_integrations.conf | See the available chicklets listed on the Data Integrations page. For more information, see What is an entity integration?. | /itsi/default |
| itsi_deep_dive.conf | Upload deep dives to the KV store. | /SA-ITOA/default |
| itsi_event_management.conf | Configure Episode Review default settings. | /SA-ITOA/default |
| itsi_glass_table.conf | Upload glass tables to the KV store. | /SA-ITOA/default |
| itsi_kpi_base_search.conf | Upload KPI base searches to the KV store. | /SA-ITOA/default |
| itsi_kpi_template.conf | Upload KPI templates to the KV store. | /SA-ITOA/default |
| itsi_kpi_threshold_template.conf | Upload KPI threshold templates to the KV store. | /SA-ITOA/default |
| itsi_module_settings.conf | Define whether a module is editable in the module lister page. Default is false. | /DA-ITSI-EUEM/default /DA-ITSI-WEBSERVER/default /DA-ITSI-OS/default /DA-ITSI-VIRTUALIZATION/default /DA-ITSI-APPSERVER/default /DA-ITSI-LB/default /DA-ITSI-APM/default /DA-ITSI-DATABASE/default /DA-ITSI-STORAGE/default /DA-ITSI-CLOUD/default |
| itsi_module_viz.conf | Change tab names and panel titles in a module details dashboard. | /DA-ITSI-EUEM/default /DA-ITSI-WEBSERVER/default /DA-ITSI-OS/default /DA-ITSI-VIRTUALIZATION/default /DA-ITSI-APPSERVER/default /DA-ITSI-LB/default /DA-ITSI-APM/default /DA-ITSI-DATABASE/default /DA-ITSI-STORAGE/default /DA-ITSI-CLOUD/default |
| itsi_notable_event_retention.conf | Define how long notable events are retained before they move to the index. Default is 6 months. | /SA-ITOA/default |
| itsi_notable_event_severity.conf | Configure the colors associated with different severity levels in Episode Review. | /SA-ITOA/default |
| itsi_notable_event_status.conf | Configure label descriptions and event status in Episode Review. | /SA-ITOA/default |
| itsi_service.conf | Upload services to the KV store. | /SA-ITOA/default |
| itsi_service_analyzer.conf | Configure auto-refresh interval, or disable auto-refresh. | /SA-ITOA/default |
| itsi_service_template.conf | Configure an app to export service templates for use within ITSI. | /SA-ITOA/default |
| itsi_settings.conf | Configure ITSI. You can also change the default (0) setting on the enable_empty_replace flag in the Import stanza of this file. Setting that flag to 1 disables new replace conflict resolution and reverts ITSI to previous conflict resolution behavior, which clears metadata from entities that become inactive for conflict resolution of type replace. | /SA-ITOA/default |
| itsi_team.conf | Upload sample ITSI teams to the KV store. | /SA-ITOA/default |
| limits.conf | Set various limits (such as maximum result size or concurrent real-time searches) for search commands. | /SA-ITOA/default/itsi/default |
| macros.conf | Define search macros in Settings. | /SA-ITOA/default/itsi/default |
| mad.conf | Configure anomaly detection. | /SA-ITSI-MetricAD/default |
| notable_event_actions.conf | Configure actions to take on groups in Episode Review. | /SA-ITOA/default |
| notable_event_commonality.conf | Define fields to include or exclude from the Common Fields tab of Episode Review. | /SA-ITOA/default |
| notable_event_correlation.conf | Set threshold values and limits for Smart Mode event correlation. | /SA-ITOA/default |
| props.conf | Set indexing property configurations, including timezone offset, custom source type rules, and pattern collision priorities. Also, map transforms to event properties. | /SA-ITOA/default |
| restmap.conf | Create custom REST endpoints. | /SA-ITOA/default |
| savedsearches.conf | Define ordinary reports, scheduled reports, and alerts. | /SA-ITOA/default |
| searchbnf.conf | Configure the search assistant. | /SA-ITOA/default |
| threshold_labels.conf | Configure settings for severity-level thresholds. Change the label, color, threshold level, health weight, minimum and maximum health score, and score contribution. | /itsi/default |
| threshold_periods.conf | Deprecated. Do not edit. | /itsi/default |
| transforms.conf | Configure regex transformations to perform on data inputs. Use in tandem with props.conf. | /SA-ITOA/default |
| ui-tour.conf | Customize the ITSI product tour. | /itsi/default |
| visualizations.conf | Declare common visualizations that other modules can use. | /SA-ITSI-CustomModuleViz/default |
| web.conf | Configure Splunk Web, enable HTTPS. | /SA-ITOA/default |