According to best practices, should custom configurations be stored in SPLUNK_HOME/etc/system/?

Storing custom configurations in SPLUNK_HOME/etc/system/ is not recommended as a best practice. Instead, it's advised to create a dedicated app for custom configurations within the SPLUNK_HOME/etc/apps/ directory. This approach offers several advantages, such as easier management and organization of configurations, better version control, and the ability to easily share or replicate configurations across different Splunk instances. Custom configurations can be isolated within their own app, which makes it easier to enable or disable them as needed without impacting other configurations.

Moreover, keeping the system directory clean prevents potential conflicts with future Splunk upgrades and maintains clarity in tracking changes over time. Using dedicated apps for custom configurations also facilitates collaboration among team members and helps maintain a clear separation between Splunk's core files and user-defined settings.

By following this best practice, you can ensure a more maintainable, organized, and efficient Splunk environment.