As a newcomer to Splunk, I am currently seeking to gain a deeper understanding of Splunk apps and their associated benefits. While I am familiar with the process of packaging and deploying an app, I remain uncertain regarding one particular aspect: whether it is possible to bundle configuration related to the search head and apply it to the entire search head, as opposed to only a specific app?
My difficulty in understanding the specifics of this process has led me to question whether, upon deploying the packaged configuration, it will indeed only be applied to that specific app and not to the wider Splunk environment.
I would greatly appreciate it if you could point me towards any relevant documents or resources too.
It's possible for configurations in an app to be global in scope. Changes to limits.conf, for example, apply to the whole instance rather than just an app. Precedence rules apply so an app cannot override a setting in $SPLUNK_HOME/etc/system/local, which limits what an app can do. See https://docs.splunk.com/Documentation/Splunk/9.0.4/Admin/Wheretofindtheconfigurationfiles for the config file precedence rules.
It's possible for configurations in an app to be global in scope. Changes to limits.conf, for example, apply to the whole instance rather than just an app. Precedence rules apply so an app cannot override a setting in $SPLUNK_HOME/etc/system/local, which limits what an app can do. See https://docs.splunk.com/Documentation/Splunk/9.0.4/Admin/Wheretofindtheconfigurationfiles for the config file precedence rules.
Thanks, that’s helpful