From ac41b2745ca9d4c15a4c79e87cbbbadd9b3e65da Mon Sep 17 00:00:00 2001 From: Jason Conger Date: Wed, 10 Apr 2024 11:00:19 -0500 Subject: [PATCH] feat: added 9.1 and 9.2 spec files --- spec_files/9.1/alert_actions.conf.spec | 574 ++ spec_files/9.1/app.conf.spec | 415 ++ spec_files/9.1/audit.conf.spec | 30 + spec_files/9.1/authentication.conf.spec | 1643 +++++ spec_files/9.1/authorize.conf.spec | 1108 ++++ spec_files/9.1/bookmarks.conf.spec | 23 + spec_files/9.1/checklist.conf.spec | 105 + spec_files/9.1/collections.conf.spec | 91 + spec_files/9.1/commands.conf.spec | 309 + spec_files/9.1/conf_checker.rules | 182 + spec_files/9.1/datamodels.conf.spec | 344 ++ spec_files/9.1/datatypesbnf.conf.spec | 14 + spec_files/9.1/default-mode.conf.examples | 13 + spec_files/9.1/default-mode.conf.spec | 62 + spec_files/9.1/default.meta.spec | 60 + spec_files/9.1/deployment.conf.spec | 13 + spec_files/9.1/deploymentclient.conf.spec | 264 + spec_files/9.1/distsearch.conf.spec | 764 +++ spec_files/9.1/event_renderers.conf.spec | 41 + spec_files/9.1/eventdiscoverer.conf.spec | 46 + spec_files/9.1/eventtypes.conf.spec | 78 + spec_files/9.1/federated.conf.spec | 260 + spec_files/9.1/fields.conf.spec | 119 + spec_files/9.1/global-banner.conf.spec | 43 + spec_files/9.1/health.conf.spec | 215 + spec_files/9.1/indexes.conf.spec | 3071 ++++++++++ spec_files/9.1/inputs.conf.spec | 4128 +++++++++++++ spec_files/9.1/instance.cfg.spec | 50 + spec_files/9.1/limits.conf.spec | 4784 +++++++++++++++ spec_files/9.1/literals.conf.spec | 5 + spec_files/9.1/livetail.conf.examples | 37 + spec_files/9.1/livetail.conf.spec | 52 + spec_files/9.1/macros.conf.spec | 81 + spec_files/9.1/messages.conf.spec | 129 + spec_files/9.1/metric_alerts.conf.spec | 216 + spec_files/9.1/metric_rollups.conf.spec | 120 + spec_files/9.1/migration.conf.spec | 18 + spec_files/9.1/multikv.conf.spec | 119 + spec_files/9.1/outputs.conf.spec | 2207 +++++++ spec_files/9.1/passwords.conf.spec | 23 + spec_files/9.1/procmon-filters.conf.spec | 31 + spec_files/9.1/props.conf.spec | 1698 ++++++ spec_files/9.1/pubsub.conf.spec | 61 + spec_files/9.1/restmap.conf.spec | 479 ++ spec_files/9.1/savedsearches.conf.spec | 1214 ++++ spec_files/9.1/searchbnf.conf.spec | 210 + spec_files/9.1/segmenters.conf.spec | 111 + spec_files/9.1/server.conf.spec | 6115 +++++++++++++++++++ spec_files/9.1/serverclass.conf.spec | 382 ++ spec_files/9.1/serverclass.seed.xml.spec | 55 + spec_files/9.1/setup.xml.spec | 191 + spec_files/9.1/source-classifier.conf.spec | 26 + spec_files/9.1/sourcetypes.conf.spec | 37 + spec_files/9.1/splunk-launch.conf.spec | 230 + spec_files/9.1/tags.conf.spec | 32 + spec_files/9.1/times.conf.spec | 120 + spec_files/9.1/transactiontypes.conf.spec | 156 + spec_files/9.1/transforms.conf.spec | 986 +++ spec_files/9.1/ui-prefs.conf.spec | 107 + spec_files/9.1/ui-tour.conf.spec | 145 + spec_files/9.1/user-prefs.conf.spec | 139 + spec_files/9.1/user-seed.conf.spec | 37 + spec_files/9.1/viewstates.conf.spec | 38 + spec_files/9.1/visualizations.conf.spec | 169 + spec_files/9.1/web-features.conf.spec | 222 + spec_files/9.1/web.conf.spec | 1545 +++++ spec_files/9.1/wmi.conf.spec | 247 + spec_files/9.1/workflow_actions.conf.spec | 199 + spec_files/9.1/workload_policy.conf.spec | 32 + spec_files/9.1/workload_pools.conf.spec | 120 + spec_files/9.1/workload_rules.conf.spec | 261 + spec_files/9.2/alert_actions.conf.spec | 574 ++ spec_files/9.2/app.conf.spec | 415 ++ spec_files/9.2/audit.conf.spec | 30 + spec_files/9.2/authentication.conf.spec | 1652 +++++ spec_files/9.2/authorize.conf.spec | 1123 ++++ spec_files/9.2/bookmarks.conf.spec | 23 + spec_files/9.2/checklist.conf.spec | 105 + spec_files/9.2/collections.conf.spec | 91 + spec_files/9.2/commands.conf.spec | 309 + spec_files/9.2/conf_checker.rules | 182 + spec_files/9.2/datamodels.conf.spec | 344 ++ spec_files/9.2/datatypesbnf.conf.spec | 14 + spec_files/9.2/default-mode.conf.examples | 13 + spec_files/9.2/default-mode.conf.spec | 62 + spec_files/9.2/default.meta.spec | 60 + spec_files/9.2/deployment.conf.spec | 13 + spec_files/9.2/deploymentclient.conf.spec | 264 + spec_files/9.2/distsearch.conf.spec | 758 +++ spec_files/9.2/event_renderers.conf.spec | 41 + spec_files/9.2/eventdiscoverer.conf.spec | 46 + spec_files/9.2/eventtypes.conf.spec | 78 + spec_files/9.2/federated.conf.spec | 220 + spec_files/9.2/fields.conf.spec | 119 + spec_files/9.2/global-banner.conf.spec | 43 + spec_files/9.2/health.conf.spec | 215 + spec_files/9.2/indexes.conf.spec | 3111 ++++++++++ spec_files/9.2/inputs.conf.spec | 4113 +++++++++++++ spec_files/9.2/instance.cfg.spec | 50 + spec_files/9.2/limits.conf.spec | 4844 +++++++++++++++ spec_files/9.2/literals.conf.spec | 5 + spec_files/9.2/livetail.conf.examples | 37 + spec_files/9.2/livetail.conf.spec | 52 + spec_files/9.2/macros.conf.spec | 81 + spec_files/9.2/messages.conf.spec | 129 + spec_files/9.2/metric_alerts.conf.spec | 216 + spec_files/9.2/metric_rollups.conf.spec | 120 + spec_files/9.2/migration.conf.spec | 18 + spec_files/9.2/multikv.conf.spec | 119 + spec_files/9.2/outputs.conf.spec | 2406 ++++++++ spec_files/9.2/passwords.conf.spec | 23 + spec_files/9.2/procmon-filters.conf.spec | 31 + spec_files/9.2/props.conf.spec | 1694 ++++++ spec_files/9.2/pubsub.conf.spec | 61 + spec_files/9.2/restmap.conf.spec | 480 ++ spec_files/9.2/savedsearches.conf.spec | 1222 ++++ spec_files/9.2/searchbnf.conf.spec | 210 + spec_files/9.2/segmenters.conf.spec | 111 + spec_files/9.2/server.conf.spec | 6290 ++++++++++++++++++++ spec_files/9.2/serverclass.conf.spec | 470 ++ spec_files/9.2/serverclass.seed.xml.spec | 55 + spec_files/9.2/setup.xml.spec | 191 + spec_files/9.2/source-classifier.conf.spec | 26 + spec_files/9.2/sourcetypes.conf.spec | 37 + spec_files/9.2/splunk-launch.conf.spec | 237 + spec_files/9.2/tags.conf.spec | 32 + spec_files/9.2/times.conf.spec | 120 + spec_files/9.2/transactiontypes.conf.spec | 152 + spec_files/9.2/transforms.conf.spec | 986 +++ spec_files/9.2/ui-prefs.conf.spec | 107 + spec_files/9.2/ui-tour.conf.spec | 145 + spec_files/9.2/user-prefs.conf.spec | 139 + spec_files/9.2/user-seed.conf.spec | 37 + spec_files/9.2/viewstates.conf.spec | 38 + spec_files/9.2/visualizations.conf.spec | 169 + spec_files/9.2/web-features.conf.spec | 305 + spec_files/9.2/web.conf.spec | 1549 +++++ spec_files/9.2/wmi.conf.spec | 247 + spec_files/9.2/workflow_actions.conf.spec | 199 + spec_files/9.2/workload_policy.conf.spec | 32 + spec_files/9.2/workload_pools.conf.spec | 120 + spec_files/9.2/workload_rules.conf.spec | 278 + 142 files changed, 75139 insertions(+) create mode 100644 spec_files/9.1/alert_actions.conf.spec create mode 100644 spec_files/9.1/app.conf.spec create mode 100644 spec_files/9.1/audit.conf.spec create mode 100644 spec_files/9.1/authentication.conf.spec create mode 100644 spec_files/9.1/authorize.conf.spec create mode 100644 spec_files/9.1/bookmarks.conf.spec create mode 100644 spec_files/9.1/checklist.conf.spec create mode 100644 spec_files/9.1/collections.conf.spec create mode 100644 spec_files/9.1/commands.conf.spec create mode 100644 spec_files/9.1/conf_checker.rules create mode 100644 spec_files/9.1/datamodels.conf.spec create mode 100644 spec_files/9.1/datatypesbnf.conf.spec create mode 100644 spec_files/9.1/default-mode.conf.examples create mode 100644 spec_files/9.1/default-mode.conf.spec create mode 100644 spec_files/9.1/default.meta.spec create mode 100644 spec_files/9.1/deployment.conf.spec create mode 100644 spec_files/9.1/deploymentclient.conf.spec create mode 100644 spec_files/9.1/distsearch.conf.spec create mode 100644 spec_files/9.1/event_renderers.conf.spec create mode 100644 spec_files/9.1/eventdiscoverer.conf.spec create mode 100644 spec_files/9.1/eventtypes.conf.spec create mode 100644 spec_files/9.1/federated.conf.spec create mode 100644 spec_files/9.1/fields.conf.spec create mode 100644 spec_files/9.1/global-banner.conf.spec create mode 100644 spec_files/9.1/health.conf.spec create mode 100644 spec_files/9.1/indexes.conf.spec create mode 100644 spec_files/9.1/inputs.conf.spec create mode 100644 spec_files/9.1/instance.cfg.spec create mode 100644 spec_files/9.1/limits.conf.spec create mode 100644 spec_files/9.1/literals.conf.spec create mode 100644 spec_files/9.1/livetail.conf.examples create mode 100644 spec_files/9.1/livetail.conf.spec create mode 100644 spec_files/9.1/macros.conf.spec create mode 100644 spec_files/9.1/messages.conf.spec create mode 100644 spec_files/9.1/metric_alerts.conf.spec create mode 100644 spec_files/9.1/metric_rollups.conf.spec create mode 100644 spec_files/9.1/migration.conf.spec create mode 100644 spec_files/9.1/multikv.conf.spec create mode 100644 spec_files/9.1/outputs.conf.spec create mode 100644 spec_files/9.1/passwords.conf.spec create mode 100644 spec_files/9.1/procmon-filters.conf.spec create mode 100644 spec_files/9.1/props.conf.spec create mode 100644 spec_files/9.1/pubsub.conf.spec create mode 100644 spec_files/9.1/restmap.conf.spec create mode 100644 spec_files/9.1/savedsearches.conf.spec create mode 100644 spec_files/9.1/searchbnf.conf.spec create mode 100644 spec_files/9.1/segmenters.conf.spec create mode 100644 spec_files/9.1/server.conf.spec create mode 100644 spec_files/9.1/serverclass.conf.spec create mode 100644 spec_files/9.1/serverclass.seed.xml.spec create mode 100644 spec_files/9.1/setup.xml.spec create mode 100644 spec_files/9.1/source-classifier.conf.spec create mode 100644 spec_files/9.1/sourcetypes.conf.spec create mode 100644 spec_files/9.1/splunk-launch.conf.spec create mode 100644 spec_files/9.1/tags.conf.spec create mode 100644 spec_files/9.1/times.conf.spec create mode 100644 spec_files/9.1/transactiontypes.conf.spec create mode 100644 spec_files/9.1/transforms.conf.spec create mode 100644 spec_files/9.1/ui-prefs.conf.spec create mode 100644 spec_files/9.1/ui-tour.conf.spec create mode 100644 spec_files/9.1/user-prefs.conf.spec create mode 100644 spec_files/9.1/user-seed.conf.spec create mode 100644 spec_files/9.1/viewstates.conf.spec create mode 100644 spec_files/9.1/visualizations.conf.spec create mode 100644 spec_files/9.1/web-features.conf.spec create mode 100644 spec_files/9.1/web.conf.spec create mode 100644 spec_files/9.1/wmi.conf.spec create mode 100644 spec_files/9.1/workflow_actions.conf.spec create mode 100644 spec_files/9.1/workload_policy.conf.spec create mode 100644 spec_files/9.1/workload_pools.conf.spec create mode 100644 spec_files/9.1/workload_rules.conf.spec create mode 100644 spec_files/9.2/alert_actions.conf.spec create mode 100644 spec_files/9.2/app.conf.spec create mode 100644 spec_files/9.2/audit.conf.spec create mode 100644 spec_files/9.2/authentication.conf.spec create mode 100644 spec_files/9.2/authorize.conf.spec create mode 100644 spec_files/9.2/bookmarks.conf.spec create mode 100644 spec_files/9.2/checklist.conf.spec create mode 100644 spec_files/9.2/collections.conf.spec create mode 100644 spec_files/9.2/commands.conf.spec create mode 100644 spec_files/9.2/conf_checker.rules create mode 100644 spec_files/9.2/datamodels.conf.spec create mode 100644 spec_files/9.2/datatypesbnf.conf.spec create mode 100644 spec_files/9.2/default-mode.conf.examples create mode 100644 spec_files/9.2/default-mode.conf.spec create mode 100644 spec_files/9.2/default.meta.spec create mode 100644 spec_files/9.2/deployment.conf.spec create mode 100644 spec_files/9.2/deploymentclient.conf.spec create mode 100644 spec_files/9.2/distsearch.conf.spec create mode 100644 spec_files/9.2/event_renderers.conf.spec create mode 100644 spec_files/9.2/eventdiscoverer.conf.spec create mode 100644 spec_files/9.2/eventtypes.conf.spec create mode 100644 spec_files/9.2/federated.conf.spec create mode 100644 spec_files/9.2/fields.conf.spec create mode 100644 spec_files/9.2/global-banner.conf.spec create mode 100644 spec_files/9.2/health.conf.spec create mode 100644 spec_files/9.2/indexes.conf.spec create mode 100644 spec_files/9.2/inputs.conf.spec create mode 100644 spec_files/9.2/instance.cfg.spec create mode 100644 spec_files/9.2/limits.conf.spec create mode 100644 spec_files/9.2/literals.conf.spec create mode 100644 spec_files/9.2/livetail.conf.examples create mode 100644 spec_files/9.2/livetail.conf.spec create mode 100644 spec_files/9.2/macros.conf.spec create mode 100644 spec_files/9.2/messages.conf.spec create mode 100644 spec_files/9.2/metric_alerts.conf.spec create mode 100644 spec_files/9.2/metric_rollups.conf.spec create mode 100644 spec_files/9.2/migration.conf.spec create mode 100644 spec_files/9.2/multikv.conf.spec create mode 100644 spec_files/9.2/outputs.conf.spec create mode 100644 spec_files/9.2/passwords.conf.spec create mode 100644 spec_files/9.2/procmon-filters.conf.spec create mode 100644 spec_files/9.2/props.conf.spec create mode 100644 spec_files/9.2/pubsub.conf.spec create mode 100644 spec_files/9.2/restmap.conf.spec create mode 100644 spec_files/9.2/savedsearches.conf.spec create mode 100644 spec_files/9.2/searchbnf.conf.spec create mode 100644 spec_files/9.2/segmenters.conf.spec create mode 100644 spec_files/9.2/server.conf.spec create mode 100644 spec_files/9.2/serverclass.conf.spec create mode 100644 spec_files/9.2/serverclass.seed.xml.spec create mode 100644 spec_files/9.2/setup.xml.spec create mode 100644 spec_files/9.2/source-classifier.conf.spec create mode 100644 spec_files/9.2/sourcetypes.conf.spec create mode 100644 spec_files/9.2/splunk-launch.conf.spec create mode 100644 spec_files/9.2/tags.conf.spec create mode 100644 spec_files/9.2/times.conf.spec create mode 100644 spec_files/9.2/transactiontypes.conf.spec create mode 100644 spec_files/9.2/transforms.conf.spec create mode 100644 spec_files/9.2/ui-prefs.conf.spec create mode 100644 spec_files/9.2/ui-tour.conf.spec create mode 100644 spec_files/9.2/user-prefs.conf.spec create mode 100644 spec_files/9.2/user-seed.conf.spec create mode 100644 spec_files/9.2/viewstates.conf.spec create mode 100644 spec_files/9.2/visualizations.conf.spec create mode 100644 spec_files/9.2/web-features.conf.spec create mode 100644 spec_files/9.2/web.conf.spec create mode 100644 spec_files/9.2/wmi.conf.spec create mode 100644 spec_files/9.2/workflow_actions.conf.spec create mode 100644 spec_files/9.2/workload_policy.conf.spec create mode 100644 spec_files/9.2/workload_pools.conf.spec create mode 100644 spec_files/9.2/workload_rules.conf.spec diff --git a/spec_files/9.1/alert_actions.conf.spec b/spec_files/9.1/alert_actions.conf.spec new file mode 100644 index 0000000..997dab4 --- /dev/null +++ b/spec_files/9.1/alert_actions.conf.spec @@ -0,0 +1,574 @@ +# Version 9.1.4 +# +############################################################################ +# OVERVIEW +############################################################################ +# This file contains descriptions of the settings that you can use to +# configure global saved search actions in the alert_actions.conf file. +# Saved searches are configured in the savedsearches.conf file. +# +# There is an alert_actions.conf file in the $SPLUNK_HOME/etc/system/default/ +# directory. Never change or copy the configuration files in the default directory. +# The files in the default directory must remain intact and in their original +# location. +# +# To set custom configurations, create a new file with the name +# alert_actions.conf in the $SPLUNK_HOME/etc/system/local/ directory. +# Then add the specific settings that you want to customize to the local +# configuration file. +# For examples, see alert_actions.conf.example. You must restart the Splunk instance +# to enable configuration changes. +# +# To learn more about configuration files (including file precedence) see the +# documentation located at +# http://docs.splunk.com/Documentation/Splunk/latest/Admin/Aboutconfigurationfiles +# +############################################################################ +# GLOBAL SETTINGS +############################################################################ +# Use the [default] stanza to define any global settings. +# * You can also define global settings outside of any stanza, at the top +# of the file. +# * Each conf file should have at most one default stanza. If there are +# multiple default stanzas, settings are combined. In the case of +# multiple definitions of the same setting, the last definition in the +# file wins. +# * If a setting is defined at both the global level and in a specific +# stanza, the value in the specific stanza takes precedence. + +maxresults = +* The global maximum number of search results sent through alerts. +* Default: 10000 + +hostname = [protocol][:] +* The hostname in the web link (URL) that is sent in alerts. +* This value accepts two forms: + * hostname + examples: splunkserver, splunkserver.example.com + * protocol://hostname:port + examples: http://splunkserver:8000, https://splunkserver.example.com:443 +* When this value is a hostname, the protocol and port that + are configured in the Splunk platform are used to construct the base of + the URL. +* When this value begins with 'http://', it is used verbatim. + NOTE: This means the correct port must be specified if it is not + the default port for http or https. +* This is useful in cases when the Splunk server is not aware of + how to construct an externally referenceable URL, such as SSO + environments, other proxies, or when the Splunk server hostname + is not generally resolvable. +* Default: The current hostname provided by the operating system, + or if that fails, "localhost". + +ttl = [p] +* The minimum time to live, in seconds, of the search artifacts, + if this action is triggered. +* If 'p' follows '', then '' is the number of scheduled periods. +* If no actions are triggered, the ttl for the artifacts are determined + by the 'dispatch.ttl' setting in the savedsearches.conf file. +* Default: 10p +* Default (for email, rss) : 86400 (24 hours) +* Default (for script) : 600 (10 minutes) +* Default (for summary_index, populate_lookup): 120 (2 minutes) + +maxtime = [m|s|h|d] +* The maximum amount of time that the execution of an action is allowed to + take before the action is aborted. +* Use the d, h, m and s suffixes to define the period of time: + d = day, h = hour, m = minute and s = second. + For example: 5d means 5 days. +* Default (for all stanzas except 'rss': 5m +* Default (for the 'rss' stanza): 1m + +track_alert = +* Whether or not the execution of this action signifies a trackable alert. +* Default: 0 (false). + +command = +* The search command (or pipeline) that is responsible for executing + the action. +* Generally the command is a template search pipeline which is realized + with values from the saved search. To reference saved search + field values enclose the values in dollar signs ($). +* For example, to reference the saved search name, use "$name$". To + reference the search, use "$search$" + +is_custom = +* Whether or not the alert action is based on the custom alert + actions framework and is supposed to be listed in the search UI. + +payload_format = [xml|json] +* Configure the format the alert script receives the configuration via + STDIN. +* Default: xml + +label = +* For custom alert actions, defines the label that is shown in the UI. + If not specified, the stanza name is used instead. +* Default: The stanza name for the custom alert action. + +description = +* For custom alert actions, specifies the description shown in the UI. + +icon_path = +* For custom alert actions, defines the icon shown in the UI for the alert + action. The path refers to the 'appserver/static' directory in the app + that the alert action is defined in. + +forceCsvResults = [auto|true|false] +* If set to "true", any saved search that includes this action + always stores results in CSV format, instead of the internal SRS format. +* If set to "false", results are always serialized using the internal SRS format. +* If set to "auto", results are serialized as CSV if the 'command' setting + in this stanza starts with "sendalert" or contains the string + "$results.file$". +* Default: auto + +alert.execute.cmd = +* For custom alert actions, explicitly specifies the command to run + when the alert action is triggered. This refers to a binary or script + in the 'bin' folder of the app that the alert action is defined in, or to a + path pointer file, also located in the 'bin' folder. +* If a path pointer file (*.path) is specified, the contents of the file + is read and the result is used as the command to run. + Environment variables in the path pointer file are substituted. +* If a python (*.py) script is specified, it is prefixed with the + bundled python interpreter. + +alert.execute.cmd.arg. = +* Provide additional arguments to the 'alert.execute.cmd'. + Environment variables are substituted. + +python.version = {default|python|python2|python3} +* For Python scripts only, selects which Python version to use. +* Set to either "default" or "python" to use the system-wide default Python + version. +* Optional. +* Default: Not set; uses the system-wide Python version. + +################################################################################ +# EMAIL: these settings are prefaced by the [email] stanza name +################################################################################ + +[email] +* Set email notification options under this stanza name. +* Follow this stanza name with any number of the following + setting/value pairs. +* If you do not specify an entry for each setting, the default value is used. + +from = +* Email address from which the alert originates. +* Default: splunk + +to = +* The To email address receiving the alert. + +cc = +* Any courtesy copy (cc) email addresses receiving the alert. + +bcc = +* Any blind courtesy copy (bcc) email addresses receiving the alert. + +allowedDomainList = +* Optional. This setting specifies a list of domains to which users are allowed + to send email. +* If this setting is set for an alert, and a user adds an address with a domain + not on this list, the Splunk software removes that address from the + recipients list. +* 'action.email.allowedDomainList' in savedsearches.conf will not be honored. +* No default. + +message.report = +* Specify a custom email message for scheduled reports. +* Includes the ability to reference settings from the result, + saved search, or job. + +message.alert = +* Specify a custom email message for alerts. +* Includes the ability to reference settings from result, + saved search, or job. + +subject = +* Specify an alternate email subject if useNSSubject is "false". +* Default: Splunk Alert: $name$ + +subject.alert = +* Specify an alternate email subject for an alert. +* Default: Splunk Alert: $name$ + +subject.report = +* Specify an alternate email subject for a scheduled report. +* Default: Splunk Report: $name$ + +useNSSubject = +* Whether or not to use the namespaced subject, for example, subject.report or the + subject. +* Default: 0 + +escapeCSVNewline = +* Whether to escape newlines as "\r\n" or "\n" or not in emailed CSV files. +* Default: true + +footer.text = +* Specify an alternate email footer. +* Default: "If you believe you've received this email in error, please +see your Splunk administrator.\\ splunk > the engine for machine data" + +format = [table|raw|csv] +* Specify the format of inline results in the email. +* Previously accepted values "plain" and "html" are no longer respected + and equate to "table". +* To make emails plain or HTML use the 'content_type' setting. +* Default: table + +include.results_link = +* Whether or not to include a link to the results. + +include.search = +* Whether or not to include the search that caused an email to be sent. + +include.trigger = +* Whether or not to show the trigger condition that caused the alert to + fire. + +include.trigger_time = +* Whether or not to show the time that the alert was fired. + +include.view_link = +* Whether or not to show the title and a link to enable the user to edit + the saved search. + +content_type = [html|plain] +* Specify the content type of the email. +* When set to "plain", sends email as plain text. +* When set to "html", sends email as a multipart email that includes both + text and HTML. + +sendresults = +* Whether or not the search results are included in the email. The + results can be attached or inline, see inline (action.email.inline) +* Default: 0 (false) + +inline = +* Whether or not the search results are contained in the body of the alert + email. +* If the events are not sent inline, they are attached as a CSV file. +* Default: 0 (false). + +priority = [1|2|3|4|5] +* Set the priority of the email as it appears in the email client. +* Value mapping: 1 highest, 2 high, 3 normal, 4 low, 5 lowest. +* Default: 3 + +mailserver = [:] +* You must have a Simple Mail Transfer Protocol (SMTP) server available + to send email. This is not included with the Splunk instance. +* Specifies the SMTP mail server to use when sending emails. +* can be either the hostname or the IP address. +* Optionally, specify the SMTP that the Splunk instance should connect to. +* When the 'use_ssl' setting (see below) is set to 1 (true), you + must specify both and . + (Example: "example.com:465") +* Default: localhost + +use_ssl = +* Whether to use SSL when communicating with the SMTP server. +* When set to 1 (true), you must also specify both the server name or + IP address and the TCP port in the 'mailserver' setting. +* Default: 0 (false) + +use_tls = +* Whether or not to use TLS (transport layer security) when + communicating with the SMTP server (starttls). +* Default: 0 (false) + +auth_username = +* The username to use when authenticating with the SMTP server. If this is + not defined or is set to an empty string, no authentication is attempted. + NOTE: your SMTP server might reject unauthenticated emails. +* Default: an empty string + +auth_password = +* The password to use when authenticating with the SMTP server. + Normally this value is set when editing the email settings, however + you can set a clear text password here and it is encrypted on the + next Splunk software restart. +* Default: an empty string + +sendpdf = +* Whether or not to create and send the results as a PDF file. +* Default: 0 (false) + +sendcsv = +* Whether or not to create and send the results as a CSV file. +* Default: 0 (false) + +allow_empty_attachment = +* Whether or not the Splunk software attaches a CSV or PDF file to + an alert email even when the triggering alert search does not have + results. +* This setting sets a default for alerts that use the email alert + action. Override it for specific alerts by setting + 'action.email.allow_empty_attachment' for those alerts in + 'savedsearches.conf'. +* Default: true + +pdfview = +* The name of the view to send as a PDF file. + +reportPaperSize = [letter|legal|ledger|a2|a3|a4|a5] +* Default paper size for PDFs. +* Accepted values: letter, legal, ledger, a2, a3, a4, a5 +* Default: letter + +reportPaperOrientation = [portrait|landscape] +* The orientation of the paper. +* Default: portrait + +reportIncludeSplunkLogo = +* Whether or not to include a Splunk logo in Integrated PDF Rendering. +* Default: 1 (true) + +reportCIDFontList = +* Specify the set (and load order) of CID fonts for handling + Simplified Chinese(gb), Traditional Chinese(cns), + Japanese(jp), and Korean(kor) in Integrated PDF Rendering. +* Specify in a space-separated list. +* If multiple fonts provide a glyph for a given character code, the glyph + from the first font specified in the list is used. +* To skip loading any CID fonts, specify the empty string. +* Default: gb cns jp kor + +reportFileName = +* Specify the name of the attached PDF or CSV file. +* Default: $name$-$time:%Y-%m-%d$ + +width_sort_columns = +* Whether or not columns should be sorted from least wide + to most wide, left to right. +* Valid only if "format=text". +* Default: true + +preprocess_results = +* Supply a search string to preprocess results before emailing the results. + Usually the preprocessing consists of filtering out unwanted internal fields. +* Default: an empty string (no preprocessing) + +pdf.footer_enabled = [1 or 0] + * Set whether or not to display a footer in the PDF. + * Default: 1 (true) + +pdf.header_enabled = [1 or 0] + * Set whether or not to display a header in the PDF. + * Default: 1 (true) + +pdf.logo_path = +* Define the PDF logo using the syntax :. +* If set, the PDF is rendered with this logo instead of the Splunk logo. +* If not set, the Splunk logo is used by default. +* The logo is read from the + $SPLUNK_HOME/etc/apps//appserver/static/ + path if is provided. +* The current app is used if is not provided. +* Default: the Splunk logo + +pdf.header_left = [logo|title|description|timestamp|pagination|none] +* Set which element is displayed on the left side of header. +* Nothing is displayed if this option is not set, or set to "none". +* Default: none + +pdf.header_center = [logo|title|description|timestamp|pagination|none] +* Set which element is displayed on the center of header. +* Nothing is displayed if this option is not set, or set to "none". +* Default: description + +pdf.header_right = [logo|title|description|timestamp|pagination|none] +* Set which element is displayed on the right side of header. +* Nothing is displayed if this setting is not set, or set to "none". +* Default: none + +pdf.footer_left = [logo|title|description|timestamp|pagination|none] +* Set which element is displayed on the left side of footer. +* Nothing is displayed if this setting is not set, or set to "none". +* Default: logo + +pdf.footer_center = [logo|title|description|timestamp|pagination|none] +* Set which element is displayed on the center of footer. +* Nothing is displayed if this setting is not set, or set to "none". +* Default: title + +pdf.footer_right = [logo|title|description|timestamp|pagination|none] +* Set which element is displayed on the right side of footer. +* Nothing is displayed if this setting is not set, or set to "none". +* Default: timestamp,pagination + +pdf.html_image_rendering = +* Whether or not images in HTML should be rendered in the PDF file. +* If rendering images in HTML breaks the PDF for whatever reason, + change this setting to "false". The old HTML rendering is used. +* Default: true + +sslVersions = +* Comma-separated list of SSL versions to support. +* The versions available are "ssl3", "tls1.0", "tls1.1", and "tls1.2". +* The special version "*" selects all supported versions. The version "tls" + selects all versions tls1.0 or newer. +* If a version is prefixed with "-" it is removed from the list. +* SSLv2 is always disabled; "-ssl2" is accepted in the version list but does nothing. +* When configured in FIPS mode, ssl3 is always disabled regardless + of this configuration. +* Used exclusively for the email alert action and the sendemail search command. +* The default can vary. See the 'sslVersions' setting in the + $SPLUNK_HOME/etc/system/default/alert_actions.conf file for the current default. + +sslVerifyServerCert = +* If set to "true", make sure that the server that is being connected to is + a valid server (authenticated). Both the common name and the alternate + name of the server are then checked for a match if they are specified in this + configuration file. A certificate is considered verified if either is matched. +* If set to "true", make sure 'server.conf/[sslConfig]/sslRootCAPath' + has been set correctly. +* Used exclusively for the email alert action and the sendemail search command. +* Default: false + +sslVerifyServerName = +* Whether or not splunkd, as a client, performs a TLS hostname validation check + on an SSL certificate that it receives upon an initial connection + to a server. +* A TLS hostname validation check ensures that a client + communicates with the correct server, and has not been redirected to + another by a machine-in-the-middle attack, where a malicious party inserts + themselves between the client and the target server, and impersonates + that server during the session. +* Specifically, the validation check forces splunkd to verify that either + the Common Name or the Subject Alternate Name in the certificate that the + server presents to the client matches the host name portion of the URL that + the client used to connect to the server. +* For this setting to have any effect, the 'sslVerifyServerCert' setting must + have a value of "true". If it doesn't, TLS hostname validation is not possible + because certificate verification is not on. +* A value of "true" for this setting means that splunkd performs a TLS hostname + validation check, in effect, verifying the server's name in the certificate. + If that check fails, splunkd terminates the SSL handshake immediately. This terminates + the connection between the client and the server. Splunkd logs this failure at + the ERROR logging level. +* A value of "false" means that splunkd does not perform the TLS hostname + validation check. If the server presents an otherwise valid certificate, the + client-to-server connection proceeds normally. +* Default: false + +sslCommonNameToCheck = , , ... +* Optional. +* Check the common name of the server's certificate against this list of names. +* 'sslVerifyServerCert' must be set to "true" for this setting to work. +* Used exclusively for the email alert action and the sendemail search command. +* Default: no common name checking is performed + +sslAltNameToCheck = , , ... +* Optional. +* Check the alternate name of the server's certificate against this list of names. +* If there is no match, assume that Splunk is not authenticated against this + server. +* 'sslVerifyServerCert' must be set to "true" for this setting to work. +* Used exclusively for the email alert action and the sendemail search command. +* Default: no alternate name checking is performed + +cipherSuite = +* If set, the specified cipher string is used for the communication with + with the SMTP server. +* Used exclusively for the email alert action and the sendemail search command. +* The default can vary. See the 'cipherSuite' setting in the +* $SPLUNK_HOME/etc/system/default/alert_actions.conf file for the current default. + +################################################################################ +# RSS: these settings are prefaced by the [rss] stanza +################################################################################ + +[rss] +* Set RSS notification options under this stanza name. +* Follow this stanza name with any number of the following setting/value pairs. +* If you do not specify an entry for each setting, the default value is used. + +items_count = +* The number of saved RSS feeds. +* Cannot be more than 'maxresults' (in the global settings). +* Default: 30 + +################################################################################ +# script: Used to configure any scripts that the alert triggers. +################################################################################ +[script] +filename = +* The filename, with no path, of the script to trigger. +* The script should be located in: $SPLUNK_HOME/bin/scripts/ +* For system shell scripts on UNIX, or .bat or .cmd on Windows, there + are no further requirements. +* For other types of scripts, the first line should begin with a '#!' marker, + followed by a path to the interpreter that runs the script. + * Example: #!C:\Python27\python.exe +* Default: an empty string + +################################################################################ +# lookup: These settings are prefaced by the [lookup] stanza. They enable the + Splunk software to write scheduled search results to a new or existing + CSV lookup file. +################################################################################ +[lookup] +filename = +* The filename, with no path, of the CSV lookup file. Filename must end with + ".csv". +* If this file does not yet exist, Splunk software creates the file on + the next scheduled run of the search. If the file currently exists, the + file is overwritten on each run of the search unless "append=1". +* The file is placed in the same path as other CSV lookup files: + $SPLUNK_HOME/etc/apps/search/lookups. +* Default: an empty string + +append = +* Whether or not to append results to the lookup file defined for the + 'filename' setting. +* Default: 0 (false) + +################################################################################ +# summary_index: these settings are prefaced by the [summary_index] stanza +################################################################################ +[summary_index] +inline = +* Whether or not the summary index search command is run as part of the + scheduled search or as a follow-on action. When the results of the scheduled + search are expected to be large, keep the default setting "inline=true". +* Default: 1 (true) + +_name = +* The name of the summary index where the events are written to. +* Default: summary + +################################################################################ +# summary_metric_index: these settings are prefaced by the [summary_metric_index] stanza +################################################################################ +[summary_metric_index] +inline = +* Whether or not the summary index search command is run as part of the + scheduled search or as a follow-on action. When the results of the scheduled + search are expected to be large, keep the default setting "inline=true". +* Default: 1 (true) + +_name = +* The name of the summary index where the events are written to. +* Default: summary + +################################################################################ +# populate_lookup: these settings are prefaced by the [populate_lookup] stanza +################################################################################ +[populate_lookup] +dest = +* Name of the lookup table to populate (stanza name in the transforms.conf file), + or the lookup file path where you want the data written to. If a path is + specified it MUST be relative to $SPLUNK_HOME and a valid lookups + directory. + For example: "etc/system/lookups/" or + "etc/apps//lookups/" +* The user executing this action MUST have write permissions to the app for + this action to work properly. + +[] diff --git a/spec_files/9.1/app.conf.spec b/spec_files/9.1/app.conf.spec new file mode 100644 index 0000000..c891d91 --- /dev/null +++ b/spec_files/9.1/app.conf.spec @@ -0,0 +1,415 @@ +# Version 9.1.4 +# +############################################################################ +# OVERVIEW +############################################################################ +# This file maintains the state of a given app in the Splunk platform. It can +# also be used to customize certain aspects of an app. +# +# An app.conf file can exist within each app on the Splunk platform. +# +# You must restart the Splunk platform to reload manual changes to app.conf. +# +# To learn more about configuration files (including precedence) please see the +# documentation located at +# http://docs.splunk.com/Documentation/Splunk/latest/Admin/Aboutconfigurationfiles + +[author=] +email = +company = + +[id] +group = +name = +version = + +[launcher] +* Settings in this stanza determine how an app appears in the Launcher in the Splunk + platform and online on Splunkbase. + +# Global Settings: + +remote_tab = +* Determines whether the Launcher interface connects to apps.splunk.com + (Splunkbase). +* This setting only applies to the Launcher app. Do not set it in any + other app. +* Default: true + +# Per-application Settings: + +version = +* Version numbers are a number followed by a sequence of dots and numbers. +* The best practice for version numbers for releases is to use three digits + formatted as Major.Minor.Revision. +* Pre-release versions can append a single-word suffix like "beta" or + "preview". +* Use lower case and no spaces when you designate a pre-release version. +* Example versions: + * 1.2.0 + * 3.2.1 + * 11.0.34 + * 2.0beta + * 1.3beta2 + * 1.0preview + +description = +* A short explanatory string that appears below the title of the app in + Launcher. +* Limit descriptions to 200 characters or less for user readability. + +author = +* For apps that you intend to upload to Splunkbase, list the username of your + splunk.com account. +* For apps that are for internal use only, include your full name and/or contact + info, such as your email address. + +# Your app can include an icon which appears next to your app in Launcher +# and on Splunkbase. You can also include a screenshot, which shows up on +# Splunkbase when the user views information about your app before downloading it. +# If you include an icon file, the file name must end with "Icon" before the +# file extension and the "I" must be capitalized. For example, "mynewIcon.png". +# Screenshots are optional. +# +# There is no setting in app.conf for screenshot or icon images. +# Splunk Web places files you upload with your app into +# the $SPLUNK_HOME/etc/apps//static/ directory. +# These images do not appear in your app. +# +# Move or place icon images in the $SPLUNK_HOME/etc/apps//static/ directory. +# Move or place screenshot images in the $SPLUNK_HOME/etc/apps//static/ directory. +# Launcher and Splunkbase automatically detect the images in those locations. +# +# For example: +# +# /static/appIcon.png (the capital "I" is required!) +# /static/screenshot.png +# +# An icon image must be a 36px by 36px PNG file. +# An app screenshot must be a 623px by 350px PNG file. + +[package] +* This stanza defines upgrade-related metadata that streamlines app upgrade + to future versions of Splunk Enterprise. + +id = +* Omit this setting for apps that are for internal use only and not intended + for upload to Splunkbase. +* id is required for all new apps that you upload to Splunkbase. Future versions of + Splunk Enterprise will use appid to correlate locally-installed apps and the + same app on Splunkbase (e.g. to notify users about app updates). +* id must be the same as the folder name in which your app lives in + $SPLUNK_HOME/etc/apps. +* id must adhere to these cross-platform folder name restrictions: + * must contain only letters, numbers, "." (dot), and "_" (underscore) + characters. + * must not end with a dot character. + * must not be any of the following names: CON, PRN, AUX, NUL, + COM1, COM2, COM3, COM4, COM5, COM6, COM7, COM8, COM9, + LPT1, LPT2, LPT3, LPT4, LPT5, LPT6, LPT7, LPT8, LPT9 + +check_for_updates = +* Determines whether Splunk Enterprise checks Splunkbase for updates to this + app. +* Default: true + +show_upgrade_notification = +* Determines whether Splunk Enterprise shows an upgrade notification in Splunk + Web for this app. +* Default: false + +[install] +* This stanza defines install settings for this app. + +state = disabled | enabled +* Determines whether an app is disabled or enabled on the Splunk platform. +* If an app is disabled, its configurations are ignored. +* Default: enabled + +state_change_requires_restart = +* Determines whether changing an app's state ALWAYS requires a restart of Splunk + Enterprise. +* State changes include enabling or disabling an app. +* When set to true, changing an app's state always requires a restart. +* When set to false, modifying an app's state might or might not require a + restart, depending on what the app contains. This setting cannot be used to + avoid all restart requirements. +* Default: false + +is_configured = +* Stores an indication of whether the application's custom setup has been + performed. +* Default: false + +build = +* Required. +* Must be a positive integer. +* Increment this whenever you change files in /static. +* Every release must change both 'version' and 'build' settings. +* Ensures browsers don't use cached copies of old static files + in new versions of your app. +* 'build' is a single integer, unlike 'version' which can be a complex string, + such as 1.5.18. + +allows_disable = +* Determines whether an app allows itself to be disabled. +* Default: true + +install_source_checksum = +* Records a checksum of the tarball from which a given app was installed. +* Splunk Enterprise automatically populates this value upon install. +* Do not set this value explicitly within your app! + +install_source_local_checksum = +* Records a checksum of the tarball from which a given app's local configuration + was installed. +* Splunk Enterprise automatically populates this value upon install. +* Do not set this value explicitly within your app! + +python.version = {default|python|python2|python3} +* When 'installit.py' exists, selects which Python version to use. +* Set to either "default" or "python" to use the system-wide default Python + version. +* Optional. +* Default: Not set; uses the system-wide Python version. + +[triggers] +* This stanza controls reloading of custom configuration files included in + the app (4.2+ versions only). +* Include this stanza if your app includes custom configuration files. + +# Conf-level reload triggers +reload. = [ simple | never | rest_endpoints | access_endpoints | http_get | http_post ] +* Splunk Enterprise reloads app configuration after every app-state change: + install, update, enable, and disable. +* If your app does not use a custom config file (e.g.myconffile.conf) + then it does not require a [triggers] stanza. This is because + $SPLUNK_HOME/etc/system/default/app.conf includes a [triggers] + stanza, which automatically reloads config files used by Splunk Enterprise. +* If your app uses a custom config file (e.g. myconffile.conf) and you want to + avoid unnecessary Splunk Enterprise restarts, you can add a reload value in + the [triggers] stanza. +* If you do not include [triggers] settings and your app uses a custom config + file, Splunk Enterprise requires a restart after every state change. +* If set to "simple", Splunk Enterprise takes no special action + to reload your custom configuration file. +* If you specify "access_endpoints" with a URL to a REST endpoint, Splunk + Enterprise calls its _reload() method at every app state change. +* If you specify "http_get" with a URL to a REST endpoint, Splunk Enterprise + simulates an HTTP GET request against the URL at every app state change. +* If you specify "http_post" with a URL to a REST endpoint, Splunk Enterprise + simulates an HTTP POST request against the URL at every app state change. +* If set to "never", Splunk Enterprise initiates a restart after any state change. +* "rest_endpoints" is reserved for Splunk Enterprise internal use for reloading + restmap.conf. +* NOTE: The "conf_file_name" value does not include the file extension ".conf". + +# Stanza-level reload triggers +reload.. = [ simple | never | access_endpoints | http_get | http_post ] +* Stanza-level reload triggers for indexer-cluster peers to reload only the + config file stanzas that are changed in the newly pushed cluster bundle. +* With the stanza level reload triggers, we can have more granular control over + which subset of existing reload handlers to invoke depending on which stanzas + of a given config file have changed in the newly pushed cluster bundle. See + example below for more information. +* Stanza level reload trigger values operate identically to conf-level reload + trigger values, i.e. "simple", "never","access_endpoints", "http_get", "http_post". +* For any stanza of that does NOT have a corresponding stanza-level + reload trigger listed under the [triggers] section of app.conf, the cluster peer + will fallback to the "rolling restart behavior" upon detecting changes of those + "missing" stanzas in the newly pushed cluster bundle. +* NOTE: This setting is ONLY used by indexer-cluster peers and ONLY supported + by inputs.conf and server.conf. +* NOTE: The "conf_file_name" value does not include the file extension ".conf". + +[shclustering] +deployer_lookups_push_mode = preserve_lookups | always_preserve | always_overwrite | overwrite_on_change +* Determines the deployer_lookups_push_mode for the 'splunk apply + shcluster-bundle' command. +* If set to "preserve_lookups", the 'splunk apply shcluster-bundle' command + honors the '-preserve-lookups' option as it appears on the command line. If + '-preserve-lookups' is flagged as "true", then lookup tables for this app are + preserved. Otherwise, lookup tables are overwritten. +* If set to "always_preserve", the 'splunk apply shcluster-bundle' command ignores + the '-preserve-lookups' option as it appears on the command line and lookup + tables for this app are always preserved. +* If set to "always_overwrite", the 'splunk apply shcluster-bundle' command + ignores the '-preserve-lookups' option as it appears on the command line and + lookup tables for this app are always overwritten. +* If set to "overwrite_on_change", the 'splunk apply shcluster-bundle' command + ignores the '-preserve-lookups' option as it appears on the command line and + lookup tables for this app are overwritten if the app contents have changed. +* Default: always_preserve + +deployer_push_mode = full | merge_to_default | local_only | default_only +* How the deployer pushes the configuration bundle to search head cluster + members. +* If set to "full": Bundles all of the app's contents located in default/, + local/, users//, and other app subdirs. It then pushes the bundle to + the members. When applying the bundle on a member, the non-local and + non-user configurations from the deployer's app folder are copied to the + member's app folder, overwriting existing contents. Local and user + configurations are merged with the corresponding folders on the member, + such that member configuration takes precedence. This option should not + be used for built-in apps, as overwriting the member's built-in apps can + result in adverse behavior. +* If set to "merge_to_default": Merges the local and default folders into + the default folder and pushes the merged app to the members. When + applying the bundle on a member, the default configuration on the member + is overwritten. User configurations are copied and merged with the user + folder on the member, such that the existing configuration on the member + takes precedence. In versions 7.2 and prior, this was the only behavior. +* If set to "local_only": This option bundles the app's local directory (and its + metadata) and pushes it to the cluster. When applying the bundle to a + member, the local configuration from the deployer is merged with the + local configuration on the member, such that the member's existing + configuration takes precedence. Use this option to push the local + configuration of built-in apps, such as search. If used to push an app + that relies on non-local content (such as default/ or bin/), these + contents must already exist on the member. +* If set to "default_only": Bundles all of the configuration files except + for local and users//. When applying the bundle on a member, the + contents in the member's default folder are overwritten. +* Default (all apps except built-in apps): "merge_to_default" +* Default (built-in apps): "local_only" + +# +# Set UI-specific settings for this app +# + +[ui] +* This stanza defines UI-specific settings for this app. + +is_visible = +* Indicates if this app is visible/navigable as an app in Splunk Web. +* Apps require at least one view to be available in Splunk Web. + +show_in_nav = +* Determines whether this app appears in the global app dropdown. + +is_manageable = +* Support for this setting has been removed. It no longer has any effect. + +label = +* Defines the name of the app shown in Splunk Web and Launcher. +* Recommended length between 5 and 80 characters. +* Must not include "Splunk For" prefix. +* Label is required. +* Examples of good labels: + IMAP Monitor + SQL Server Integration Services + FISMA Compliance + +docs_section_override = +* Defines override for auto-generated app-specific documentation links. +* If not specified, app-specific documentation link includes + [:]. +* If specified, app-specific documentation link includes + []. +* This setting only applies to apps with documentation on the Splunk + documentation site. + +attribution_link = +* URL that users can visit to find third-party software credits and attributions + for assets the app uses. +* External links must start with http:// or https://. +* Values that do not start with http:// or https:// get interpreted as Quickdraw + location strings and translated to internal documentation references. + +setup_view = +* Optional. +* Defines custom setup view found within the /data/ui/views REST endpoint. + +supported_themes = +* A comma-separated list of themes supported by the app. +* Supported values are "dark" and "light". +* This setting is optional. +* If you specify this setting, you must give it a value of "light". +* No default. + +[credentials_settings] +* This stanza controls credential-verification scripting (4.2+ versions only). +* Credential entries are superseded by passwords.conf from 6.3 onwards. +* While the entries here are still honored post-6.3, updates to these occur in + passwords.conf, which overrides any values present here. + +verify_script = +* Optional setting. +* Command line to invoke to verify credentials used for this app. +* For scripts, the command line must include both the interpreter and the + script for it to run. + * Example: "$SPLUNK_HOME/bin/python" "$SPLUNK_HOME/etc/apps//bin/$MY_SCRIPT" +* The invoked program is communicated with over standard in / standard out via + the same protocol as splunk scripted auth. +* Paths incorporating variable expansion or explicit spaces must be quoted. + * For example, a path including $SPLUNK_HOME should be quoted, as likely + will expand to C:\Program Files\Splunk + +python.version = {default|python|python2|python3} +* This property is used only when verify_script begins with the canonical path + to the Python interpreter, in other words, $SPLUNK_HOME/bin/python. If any + other path is used, this property is ignored. +* For Python scripts only, selects which Python version to use. +* Set to either "default" or "python" to use the system-wide default Python + version. +* Optional. +* Default: Not set; uses the system-wide Python version. + +[credential::] +password = +* Password that corresponds to the given username for the given realm. +* Realm is optional. +* The password can be in clear text, but when saved from splunkd the + password is always encrypted. + +[diag] +* This stanza applies to diag app extensions, 6.4+ only. + +extension_script = +* Setting this variable declares that this app puts additional information + into the troubleshooting & support oriented output of the 'splunk diag' + command. +* Must be a python script. +* Must be a simple filename, with no directory separators. +* The script must exist in the 'bin' subdirectory in the app. +* Full discussion of the interface is located on the Splunk developer portal. + See http://dev.splunk.com/view/SP-CAAAE8H +* Default: not set (no app-specific data collection will occur). + +data_limit = [b|kb|MB|GB] +* Defines a soft ceiling for the amount of uncompressed data that can be + added to the diag by the app extension. +* Large diags damage the main functionality of the tool by creating data blobs + too large to copy around or upload. +* Use this setting to ensure that your extension script does not accidentally + produce far too much data. +* After data produced by this app extension reaches the limit, diag does not add + any further files on behalf of the extension. +* After diag has finished adding a file which goes over this limit, all further files + are not be added. +* Must be a positive number followed by a size suffix. + * Valid suffixes: b: bytes, kb: kilobytes, mb: megabytes, gb: gigabytes + * Suffixes are case insensitive. +* Default: 100MB + +# Other diag settings + +default_gather_lookups = [, ...] +* Set this variable to declare that the app contains lookups that diag must + always gather by default. +* Essentially, if there are lookups which are useful for troubleshooting an + app, and will never contain sensitive (user) data, add the lookups to this + list so that they appear in generated diags for use when troubleshooting + the app from customer diags. +* Any files in lookup directories that are not listed here are not gathered by + default. You can override this behavior with the diag flag --include-lookups. +* This setting is new in Splunk Enterprise/Light version 6.5. Older versions + gather all lookups by default. +* This does not override the size-ceiling on files in etc. Large lookups are + still excluded unless the etc-filesize-limit is raised or disabled. +* This only controls files in the same app directory as this conf file. For + example, if you have an app directory in etc/peer-apps (index clustering), + this setting must appear in etc/peer-apps/appname/default/app.conf or + local/app.conf +* Additional lists can be created with default_gather_lookups-classname = ... +* Default: not set diff --git a/spec_files/9.1/audit.conf.spec b/spec_files/9.1/audit.conf.spec new file mode 100644 index 0000000..8a55d0a --- /dev/null +++ b/spec_files/9.1/audit.conf.spec @@ -0,0 +1,30 @@ +# Version 9.1.4 +# +# This file contains possible attributes and values you can use to configure +# auditing in audit.conf. +# +# There is NO DEFAULT audit.conf. To set custom configurations, place an +# audit.conf in $SPLUNK_HOME/etc/system/local/. For examples, see +# audit.conf.example. You must restart Splunk to enable configurations. +# +# To learn more about configuration files (including precedence) please see the +# documentation located at +# http://docs.splunk.com/Documentation/Splunk/latest/Admin/Aboutconfigurationfiles + +# GLOBAL SETTINGS +# Use the [default] stanza to define any global settings. +# * You can also define global settings outside of any stanza, at the top of the file. +# * Each conf file should have at most one default stanza. If there are +# multiple default stanzas, attributes are combined. In the case of multiple +# definitions of the same attribute, the last definition in the file wins. +# * If an attribute is defined at both the global level and in a specific +# stanza, the value in the specific stanza takes precedence. + +[auditTrail] +queueing = +* Whether or not audit events are sent to the indexQueue. +* If set to "true", audit events are sent to the indexQueue. +* If set to "false", you must add an inputs.conf stanza to tail the + audit log for the events reach your index. +* Default: true + diff --git a/spec_files/9.1/authentication.conf.spec b/spec_files/9.1/authentication.conf.spec new file mode 100644 index 0000000..e6ce80b --- /dev/null +++ b/spec_files/9.1/authentication.conf.spec @@ -0,0 +1,1643 @@ +# Version 9.1.4 +# +# This file contains possible settings and values for configuring +# authentication via authentication.conf. +# +# There is an authentication.conf file in $SPLUNK_HOME/etc/system/default/. To +# set custom configurations, place an authentication.conf in +# $SPLUNK_HOME/etc/system/local/. For examples, see +# authentication.conf.example. You must restart the Splunk platform to enable +# configurations. +# +# To learn more about configuration files, including precedence, see +# http://docs.splunk.com/Documentation/Splunk/latest/Admin/Aboutconfigurationfiles. + +# GLOBAL SETTINGS +# Use the [default] stanza to define any global settings. +# * You can also define global settings outside of any stanza, at the top +# of the file. +# * Each .conf file should have at most one default stanza. If there are +# multiple default stanzas, settings are combined. In the case of +# multiple definitions of the same setting, the last definition in the +# file wins. +# * If a setting is defined at both the global level and in a specific +# stanza, the value in the specific stanza takes precedence. + +[authentication] +* Follow this stanza name with any number of the following setting/value + pairs. + +authType = [Splunk|LDAP|Scripted|SAML|ProxySSO] +* Specify which authentication system to use. +* Supported values: Splunk, LDAP, Scripted, SAML, ProxySSO. +* Default: Splunk + +authSettings = ,,... +* Key to look up the specific configurations of chosen authentication + system. +* is the name of a stanza header that specifies + settings for scripted authentication, SAML, ProxySSO and for an LDAP + strategy. Those stanzas are defined below. +* For LDAP, specify the LDAP strategy name(s) here. If you want Splunk + software to query multiple LDAP servers, provide a comma-separated list + of all strategies. Each strategy must be defined in its own stanza. + The order in which you specify the strategy names is the order Splunk + software uses to query their servers when looking for a user. +* For scripted authentication, should be a single + stanza name. + +passwordHashAlgorithm = [SHA512-crypt|SHA256-crypt|SHA512-crypt-|SHA256-crypt-|MD5-crypt] +* This controls how hashed passwords are stored in the + $SPLUNK_HOME/etc/passwd file for the default "Splunk" authType. +* "MD5-crypt" is an algorithm originally developed for FreeBSD in the early + 1990s, which became a widely used standard among UNIX machines. Splunk + Enterprise also used it through the 5.0.x releases. MD5-crypt runs the + salted password through a sequence of 1000 MD5 operations. +* "SHA256-crypt" and "SHA512-crypt" are newer versions that use 5000 rounds + of the Secure Hash Algorithm-256 (SHA256) or SHA512 hash functions. + This is slower than MD5-crypt and therefore more resistant to dictionary + attacks. SHA512-crypt is used for system passwords on many versions of Linux. +* These SHA-based algorithm can optionally be followed by a number of rounds + to use. For example, "SHA512-crypt-10000" uses twice as many rounds + of hashing as the default implementation. The number of rounds must be at + least 1000. + If you specify a very large number of rounds (i.e. more than 20x the + default value of 5000), splunkd might become unresponsive and connections to + splunkd (from Splunk Web or CLI) time out. +* This setting only affects new password settings (either when a user is + added or a user's password is changed). Existing passwords work but retain their + previous hashing algorithm. +* Default: SHA512-crypt + +defaultRoleIfMissing = +* Applicable for LDAP authType. If the LDAP server does not return any groups, or if + groups cannot be mapped to Splunk roles, then this value is used, if provided. +* This setting is optional. +* Default: empty string + +externalTwoFactorAuthVendor = +* A valid multifactor vendor string enables multifactor authentication + and loads support for the corresponding vendor if supported by the the Splunk platform. +* An empty string disables multifactor authentication in the the Splunk platform. +* Currently Splunk supports Duo and RSA as multifactor authentication vendors. +* This setting is optional. +* No default. + +externalTwoFactorAuthSettings = +* Key to look up the specific configuration of chosen multifactor + authentication vendor. +* This setting is optional. +* No default. + + +##################### +# LDAP settings +##################### + +[] +* Follow this stanza name with the following setting/value pairs. +* For multiple strategies, specify multiple instances of + this stanza, each with its own stanza name and a separate set of + settings. +* The must be one of the values listed in the + authSettings setting, which must be specified in the previous [authentication] + stanza. + +host = +* The hostname of the LDAP server. +* Confirm that your Splunk server can resolve the host name through DNS. +* Required. +* No default. + +SSLEnabled = [0|1] +* Specifies whether SSL is enabled. +* See the file $SPLUNK_HOME/etc/openldap/ldap.conf for SSL LDAP settings +* This setting is optional. +* Default: 0 (disabled) + +port = +* The port that the Splunk platform should use to connect to your LDAP server. +* This setting is optional. +* Default (non-SSL): 389 +* Default (SSL): 636 + +bindDN = +* The LDAP Distinguished Name of the user that retrieves the LDAP entries. +* This user must have read access to all LDAP users and groups you wish to + use in the auth system. +* This setting is optional. +* Leave this setting blank to retrieve your LDAP entries using + anonymous bind (which must be supported by the LDAP server) +* No default. + +bindDNpassword = +* Password for the bindDN user. +* This setting is optional. +* Leave this blank if anonymous bind is sufficient. +* No default. + +userBaseDN = +* The distinguished names of LDAP entries whose subtrees contain the users. +* Enter a ';' delimited list to search multiple trees. +* Required. +* No default. + +userBaseFilter = +* The LDAP search filter to use when searching for users. +* Highly recommended, especially when there are many entries in your LDAP + user subtrees. +* When used properly, search filters can significantly speed up LDAP queries +* Here is an example that matches users in the IT or HR department: + * userBaseFilter = (|(department=IT)(department=HR)) + * See RFC 2254 for more detailed information on search filter syntax +* This setting is optional. +* Default: empty string (no filtering) + +userNameAttribute = +* This is the username. +* NOTE: This setting should use case insensitive matching for its values, + and the values should not contain whitespace + * Usernames are case insensitive in the the Splunk platform +* In Active Directory, this is 'sAMAccountName' +* Required. +* A typical value is 'uid'. +* No default. + +realNameAttribute = +* The user's real, human readable name. +* Required. +* A typical value is 'cn'. +* No default. + +emailAttribute = +* The user's email address. +* This setting is optional. +* Default: mail + +groupMappingAttribute = +* The value that group entries use to declare membership. +* Groups are often mapped with user DN, so this defaults to 'dn' +* Set this if groups are mapped using a different setting + * Usually only needed for OpenLDAP servers. + * A typical setting is 'uid' + * For example, assume a group declares that one of its members is + 'splunkuser' — every user with the 'uid' value 'splunkuser' is + mapped to that group. +* This setting is optional. +* No default. + +groupBaseDN = [;;...] +* The LDAP Distinguished Names of LDAP entries whose subtrees contain + the groups. +* Required. +* Enter a semicolon (;) delimited list to search multiple trees. +* If your LDAP environment does not have group entries, there is a + configuration that can treat each user as its own group: + * Set groupBaseDN to the same as userBaseDN, which means you search + for groups in the same place as users. + * Next, set the groupMemberAttribute and groupMappingAttribute to the same + setting as userNameAttribute. + * This means the entry, when treated as a group, uses the username + value as its only member. + * For clarity, also set groupNameAttribute to the same + value as userNameAttribute. +* No default. + +groupBaseFilter = +* The LDAP search filter the Splunk platform uses when searching for static groups +* Like 'userBaseFilter', this is highly recommended to speed up LDAP queries +* See Request for Comments (RFC) 2254 on the Internet Engineering Task Force + (IETF) website for more information. +* This setting is optional. +* Default: empty string (no filtering). + +dynamicGroupFilter = +* The LDAP search filter the Splunk platform uses when searching for dynamic groups. +* Configure this setting only if you intend to retrieve dynamic groups + on your LDAP server. +* Example: '(objectclass=groupOfURLs)' +* This setting is optional. +* Default: empty string + +dynamicMemberAttribute = +* This setting contains the LDAP URL needed to retrieve members dynamically. +* Only configure this if you intend to retrieve dynamic groups on your + LDAP server. +* This setting is required if you want to retrieve dynamic groups. +* Otherwise, it is optional. +* Example: 'memberURL' +* No default. + +groupNameAttribute = +* This is the group entry setting whose value stores the group name. +* A typical setting for this is 'cn' (common name) +* Recall that if you are configuring LDAP to treat user entries as their own + group, user entries must have this setting +* Required. +* Default: empty string + +groupMemberAttribute = +* This is the group entry setting whose values are the groups members +* Typical setting for this are 'member' and 'memberUid' +* For example, consider the groupMappingAttribute example above using + groupMemberAttribute 'member' + * To declare 'splunkuser' as a group member, its setting 'member' must + have the value 'splunkuser' +* Required. +* Default: empty string + +nestedGroups = +* Controls whether the Splunk platform expands nested groups using the + 'memberof' extension. +* Set to 1 if you have nested groups you want to expand and the 'memberof' + extension on your LDAP server. +* This setting is optional. + +charset = +* Only set this for an LDAP setup that returns non-UTF-8 encoded data. LDAP + is supposed to always return UTF-8 encoded data (See RFC 2251), but some + tools incorrectly return other encodings. +* Follows the same format as 'CHARSET' in props.conf (see props.conf.spec) +* An example value would be "latin-1" +* This setting is optional. +* Default: empty string + +anonymous_referrals = [0|1] +* Set this to 0 to turn off referral chasing +* Set this to 1 to turn on anonymous referral chasing +* NOTE: the Splunk platform only chases referrals using anonymous bind. + It does not support rebinding using credentials. +* If you do not need referral support, set this to 0. +* If you wish to make referrals work, set this to 1 and confirm your server + allows anonymous searching +* This setting is optional. +* Default: 1 + +sizelimit = +* Limits the amount of entries that the Splunk platform requests in LDAP search. +* NOTE: The max entries returned is still subject to the maximum + imposed by your LDAP server. + * Example: If you set this to 5000 and the server limits it to 1000, + the software only returns 1000 entries. +* This setting is optional. +* Default: 1000 + +pagelimit = +* The maximum number of entries to return in each page. +* Enables result sets that exceed the maximum number of entries defined for the + LDAP server. +* If set to -1, ldap pagination is off. +* IMPORTANT: The maximum number of entries a page returns is subject to + the maximum page size limit of the LDAP server. For example: If you set 'pagelimit = + 5000' and the server limit is 1000, you cannot receive more than 1000 entries in + a page. +* This setting is optional. +* Default: -1 + +enableRangeRetrieval = +* The maximum number of values that can be retrieved from one attribute in a + single LDAP search request is determined by the LDAP server. If the number of + users in a group exceeds the LDAP server limit, enabling this setting fetches all + users by using the "range retrieval" mechanism. +* Enables result sets for a given attribute that exceed the maximum number of + values defined for the LDAP server. +* If set to false, ldap range retrieval is off. +* This setting is optional. +* Default: false + +timelimit = +* Limits the amount of time, in seconds, that the Splunk platform waits for an LDAP search + request to complete. +* If your searches finish quickly, lower this value from the default. +* Maximum value is 30 seconds +* Default: 15 + +network_timeout = +* Limits the amount of time a socket polls a connection without activity +* This is useful for determining if your LDAP server cannot be reached +* NOTE: As a connection could be waiting for search results, this value + must be higher than 'timelimit'. +* Like 'timelimit', if you have a fast connection to your LDAP server, + lower this value. +* Maximum value is -1 (unlimited) +* This setting is optional. +* Default: 20 + +ldap_negative_cache_timeout = +* The amount of time, in seconds, that the Splunk platform remembers that a non-existent + user on an LDAP provider does not exist. +* This setting is useful when you want to avoid frequent LDAP queries for users + that do not exist on the LDAP provider. +* This setting does not prevent LDAP queries on login. Login always queries the LDAP + provider to confirm that a user exists. +* Default: 86400 + +##################### +# Map roles +##################### + +[roleMap_] +* The mapping of Splunk roles to LDAP groups for the LDAP strategy specified + by +* Follow this stanza name with several Role-to-Group(s) mappings as defined + below. +* NOTE: This role mapping ONLY applies to the specified strategy. +* Importing groups for the same user from different strategies is not + supported. + + = +* Maps a Splunk role from the authorize.conf configuration file to one or more LDAP groups. +* Separate multiple LDAP groups with semicolons, not spaces. +* List several of these setting/value pairs to map several Splunk roles to + LDAP Groups. +* LDAP group names are case sensitive. + +##################### +# Scripted authentication +##################### + +[] +* Follow this stanza name with the following setting/value pairs: + +python.version = {default|python|python2|python3} +* For Python scripts only, selects which Python version to use. +* Set to either "default" or "python" to use the system-wide default Python + version. +* Optional. +* Default: Not set; uses the system-wide Python version. + +scriptSearchFilters = [1|0] +* Whether or not to call the script to add search filters. +* Set this to 1 to call the script to add search filters. +* Default: 0 + +[cacheTiming] +* Use these settings to adjust how long the Splunk platform uses the answers returned + from script functions before calling them again. +* All timeouts can be expressed in seconds or as a search-like time range +* Examples include "30" (30 seconds), "2mins" (2 minutes), "24h" (24 hours), etc. +* You can opt to use no caching for a particular function by setting the + value to "0". + * Be aware that this can severely hinder performance as a result of heavy + script invocation. +* Choosing the correct values for cache timing involves a tradeoff between + new information latency and general performance. + * High values yield better performance from calling the script less, but + introduces a latency in picking up changes. + * Low values pick up changes in your external auth system more + quickly, but can slow down performance due to increased script + invocations. + +userLoginTTL =