Team,
I'm trying to better understand the under-the-hood part of splunk. I thought that when you set the permissions to global of, say, a field extraction that the system actually moved those lines from the "etc/apps/search/local/props.conf" file to the "etc/default/local/props.conf" file. Am I wrong about that? As it stands, I have some field extractions that are set to "global" but that still live in "etc/apps/search/local/props.conf"
Thanks!
-S.
Setting permissions to global isn't going to move those field extractions into the default directory. The default directory is the initial, 'default' Splunk configuration. Additional configuration can be made available globally, but they will still exist within the conf file where they were created, in your case /etc/apps/search/local/props.conf. It is not recommended to edit the files in /default, as they would be overwritten on upgrade and any customizations would not be retained.
sondra,
Setting permissions to global makes a change to your app's (in this case search's) local.meta in SPLUNK_HOME/etc/apps/<app>/metadata/local.meta
. It is the .meta files that control what is "global", not the location of the resources. Location of resources instead affects the precedence by which configuration files are read.
Remember to accept hazedav's answer as correct!
Ah, perfect! Thanks!
-S.