Are you a member of the Splunk Community?
- Find Answers
- :
- Splunk Administration
- :
- Admin Other
- :
- Knowledge Management
- :
- Which macro instance Splunk runs?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Which macro instance Splunk runs?
Suppose I have 3 macros of the same name, one defined for user admin, other for application MyApp and the third one as Global. I am logged in as admin, in application MyApp and referencing the macro in the query. Which macro Splunk uses? What are the preferences?
The same question is in place for other objects like reports, dashboards, data models,
Question2: Is there a specific syntax to direct the search to use other instance?
mdz
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Question 2: No, there is no way for the user of a macro to direct Splunk to use a different version.
Question 1: Which macro Splunk uses, depends on configuration file precedence. You can read up on config file precedence in the Admin manual here. That page also has a reference to btool which can be very helpful to see how Splunk combines the configuration files. You might also want read Use btool to troubleshoot configurations.
To see exactly what is happening in your case, you might try running the following command on the command line of your search head:
splunk cmd btool --app=MyApp --user=admin macro list --debug
And specifically, in your example, Splunk will evaluate the macros.conf files in the following order, using the first definition it finds:
SPLUNK_HOME/etc/users/admin/MyApp/local/macros.conf
SPLUNK_HOME/etc/apps/MyApp/local/macros.conf
SPLUNK_HOME/etc/apps/MyApp/default/macros.conf
SPLUNK_HOME/etc/system/local/macros.conf
SPLUNK_HOME/etc/apps/*/local/macros.conf [but only for macros with global visibility]
SPLUNK_HOME/etc/apps/*/default/macros.conf [but only for macros with global visibility]
SPLUNK_HOME/etc/system/default/macros.conf
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for the answer. This brings another question. How can I direct Splunk to store any object in a specific directory. The Splunk UI has 3 options only, Privat, AppContext and Global, but we have at least seven options in the above list of directories.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
We have 3 major location options, two of them expand into local+default.
Plus we have permission options within the app: (app\global)
Major:
Private
App
System
Expanded to default\local:
Private
App-default
App-local
System-default
System-local
Expanded to app\global:
Private
App-default (App-only)
App-local (App-only)
App-default (Global)
App-local (Global)
System-default
System-local
The override order would be:
Private
App-default (App-only)
App-local (App-only)
System-local
App-default (Global)
App-local (Global)
System-default
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Question1: Check out the precedence docs:
https://docs.splunk.com/Documentation/Splunk/6.5.1/Admin/Wheretofindtheconfigurationfiles
It seems like the precedence would be in your case : global > app > user .
Which means the global one will run eventually.
Question2: I don't think you can run any configuration that was overridden by another, since it will always load one time any line in a stanze.
What Is Splunk? Here’s What You Can Do with Splunk
Level Up Your .conf25: Splunk Arcade Comes to Boston
Manual Instrumentation with Splunk Observability Cloud: How to Instrument Frontend ...
