First Look: Splunk 9.0 Configuration Change Logging

Splunk Enterprise 9.0 brings us a new feature: configuration change tracking!

We’ll take a look at a few changes and how they’re logged in this file and in Splunk. If you would like more details–including video demos–check out Tom Kopchak’s full blog post here.?

This feature uses a new index, _configtracker, to log changes. The configuration_change.log file, which is enabled by default in Splunk 9.0, is stored in the default Splunk log directory, $SPLUNK_HOME/var/log/splunk.?

To observe how changes are logged, let’s make a change in SplunkWeb; Make a new field alias by navigating to Settings → Fields → Field Aliases.?

This change will be logged to the configuration_change.log file–and since we have Splunk, we can search for it!

To see everything in the configuration_change.log file in your environment, run this search: index=_configtracker source=*configuration_change.log

Configuration logging is also available for changes made to .conf files on the filesystem. When you restart Splunk, you’ll see a new entry is logged to configuration_change.log, and if you re-run your Splunk search, you’ll also see another event for this updated stanza.

This feature will be helpful for troubleshooting Splunk deployments and identifying configuration changes that occur.?

Need more support? Contact us! We’re here to help!