topic Splunk File presedence in Security

Splunk File presedence

ansif — Fri, 08 Dec 2017 10:02:20 GMT

I know the configuration file precedence, my question is if /system/local is first path of a configuration file then Splunk skips to check /system/default for the same conf file?

Re: Splunk File presedence

kamlesh_vaghela — Fri, 08 Dec 2017 10:23:29 GMT

Can you please check Precedence order within global context: in this link?

http://docs.splunk.com/Documentation/Splunk/7.0.1/Admin/Wheretofindtheconfigurationfiles

Re: Splunk File presedence

harsmarvania57 — Fri, 08 Dec 2017 10:40:36 GMT

Hi @ansif,

In splunk local directory has higher precedence than default directory which doesn't mean that splunk will not read conf file from default directory.

Let's take example of props.conf, you have $SPLUNK_HOME/etc/system/local/props.conf with below config

[yoursourcetype]
TRUNCATE = 20000

So in this case when splunk read configuration for sourcetype yoursourcetype it will take value for TRUNCATE parameter from $SPLUNK_HOME/etc/system/local/props.conf however remaining variable default setting will take from $SPLUNK_HOME/etc/system/default/props.conf for example MAX_EVENTS=256

To check in splunk which parameter is coming from which configuration file (local or default) you can use below command

$SPLUNK_HOME/bin/splunk cmd btool props --debug list

Here I have given example of props.conf but same applies to all .conf files.

I hope this helps.

Thanks,
Harshil