Deployment Architecture

Default Configuration

michaeler
Communicator

Hello all, 

I have what is probably a pretty basic question about configuration files. I know the precedence goes like this:

1. System local directory -- highest priority
2. App local directories
3. App default directories
4. System default directory -- lowest priority

But if I have only a few things addressed in my inputs.conf in my system\local directory like :

[WinEventLogs://Security]
[WinEventLogs://Application]
[WinEventLogs://System]

Do the additional stanzas in my system\default directory inputs.conf file get applied as well and only the ones I specifically addressed above override whats in the default conf? Or is this file ignored because I have an inputs.conf in my local directory?

Labels (1)
0 Karma
1 Solution

thambisetty
SplunkTrust
SplunkTrust

Do the additional stanzas in my system\default directory inputs.conf file get applied as well

yes

and only the ones I specifically addressed above override whats in the default conf?

yes

Or is this file ignored because I have an inputs.conf in my local directory?

new attributes for the same stanza will not be ignored from default. if there is same attribute defined in both local and default for a particular stanza then the one which is defined in local will take precedence 

let me give you an example:

system/local/inputs.conf

 

[WinEventLogs://Security]
index=windows
sourcetype=sourcetype_local

 

system/default/inputs.conf

 

[WinEventLogs://Security] 
index=windows 
sourcetype=sourcetype_default 
source=source_default 

[WinEventLogs://Application]
index=windows
sourcetype=st_app_default 

 

Final config of Splunk will  be like 

 

[WinEventLogs://Security] # This is available in local
index=windows # This is available in local
sourcetype=sourcetype_local # This is available in local
source=source_default # This is from default

[WinEventLogs://Application] 
index=windows
sourcetype=st_app_default 

 

 Splunk doc example for file precedence is below:

https://docs.splunk.com/Documentation/Splunk/8.0.6/Admin/Wheretofindtheconfigurationfiles#Example_of...

————————————
If this helps, give a like below.

View solution in original post

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @michaeler,

if you have a configuration in two stanzas, the one with highest priority wins.

If you have a configuration in only one stanza, it's applied to your data, so if you have a configuration only in system\default, it's applied to your data.

Infact, if you want to exclude a configuration that's present in system\default, you have to find a value to override it in system local\ or delete from system\default, otherwise it's applied.

Ciao.

Giuseppe

0 Karma

thambisetty
SplunkTrust
SplunkTrust

Do the additional stanzas in my system\default directory inputs.conf file get applied as well

yes

and only the ones I specifically addressed above override whats in the default conf?

yes

Or is this file ignored because I have an inputs.conf in my local directory?

new attributes for the same stanza will not be ignored from default. if there is same attribute defined in both local and default for a particular stanza then the one which is defined in local will take precedence 

let me give you an example:

system/local/inputs.conf

 

[WinEventLogs://Security]
index=windows
sourcetype=sourcetype_local

 

system/default/inputs.conf

 

[WinEventLogs://Security] 
index=windows 
sourcetype=sourcetype_default 
source=source_default 

[WinEventLogs://Application]
index=windows
sourcetype=st_app_default 

 

Final config of Splunk will  be like 

 

[WinEventLogs://Security] # This is available in local
index=windows # This is available in local
sourcetype=sourcetype_local # This is available in local
source=source_default # This is from default

[WinEventLogs://Application] 
index=windows
sourcetype=st_app_default 

 

 Splunk doc example for file precedence is below:

https://docs.splunk.com/Documentation/Splunk/8.0.6/Admin/Wheretofindtheconfigurationfiles#Example_of...

————————————
If this helps, give a like below.
0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...