Re: Which macro instance Splunk runs?

mdzmuran · ‎02-09-2017

Suppose I have 3 macros of the same name, one defined for user admin, other for application MyApp and the third one as Global. I am logged in as admin, in application MyApp and referencing the macro in the query. Which macro Splunk uses? What are the preferences?

The same question is in place for other objects like reports, dashboards, data models,

Question2: Is there a specific syntax to direct the search to use other instance?

mdz

lguinn2 · ‎02-09-2017

Question 2: No, there is no way for the user of a macro to direct Splunk to use a different version.

Question 1: Which macro Splunk uses, depends on configuration file precedence. You can read up on config file precedence in the Admin manual here. That page also has a reference to btool which can be very helpful to see how Splunk combines the configuration files. You might also want read Use btool to troubleshoot configurations.

To see exactly what is happening in your case, you might try running the following command on the command line of your search head:

splunk cmd btool --app=MyApp --user=admin macro list --debug

And specifically, in your example, Splunk will evaluate the macros.conf files in the following order, using the first definition it finds:

SPLUNK_HOME/etc/users/admin/MyApp/local/macros.conf
SPLUNK_HOME/etc/apps/MyApp/local/macros.conf
SPLUNK_HOME/etc/apps/MyApp/default/macros.conf
SPLUNK_HOME/etc/system/local/macros.conf
SPLUNK_HOME/etc/apps/*/local/macros.conf [but only for macros with global visibility]
SPLUNK_HOME/etc/apps/*/default/macros.conf  [but only for macros with global visibility]
SPLUNK_HOME/etc/system/default/macros.conf

mdzmuran · ‎02-10-2017

Thanks for the answer. This brings another question. How can I direct Splunk to store any object in a specific directory. The Splunk UI has 3 options only, Privat, AppContext and Global, but we have at least seven options in the above list of directories.

ehudb · ‎02-10-2017

We have 3 major location options, two of them expand into local+default.
Plus we have permission options within the app: (app\global)

Major:
Private
App
System

Expanded to default\local:
Private
App-default
App-local
System-default
System-local

Expanded to app\global:
Private
App-default (App-only)
App-local (App-only)
App-default (Global)
App-local (Global)
System-default
System-local

The override order would be:
Private
App-default (App-only)
App-local (App-only)
System-local
App-default (Global)
App-local (Global)
System-default

ehudb · ‎02-09-2017

Question1: Check out the precedence docs:

https://docs.splunk.com/Documentation/Splunk/6.5.1/Admin/Wheretofindtheconfigurationfiles

It seems like the precedence would be in your case : global > app > user .
Which means the global one will run eventually.

Question2: I don't think you can run any configuration that was overridden by another, since it will always load one time any line in a stanze.

Which macro instance Splunk runs?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

SplunkTrust Application Period is Officially OPEN!

Announcing Modern Navigation: A New Era of Splunk User Experience

Join the Conversation