Knowledge Management

Which macro instance Splunk runs?

mdzmuran
Observer

Suppose I have 3 macros of the same name, one defined for user admin, other for application MyApp and the third one as Global. I am logged in as admin, in application MyApp and referencing the macro in the query. Which macro Splunk uses? What are the preferences?

The same question is in place for other objects like reports, dashboards, data models,

Question2: Is there a specific syntax to direct the search to use other instance?

mdz

0 Karma

lguinn2
Legend

Question 2: No, there is no way for the user of a macro to direct Splunk to use a different version.

Question 1: Which macro Splunk uses, depends on configuration file precedence. You can read up on config file precedence in the Admin manual here. That page also has a reference to btool which can be very helpful to see how Splunk combines the configuration files. You might also want read Use btool to troubleshoot configurations.

To see exactly what is happening in your case, you might try running the following command on the command line of your search head:

splunk cmd btool --app=MyApp --user=admin macro list --debug

And specifically, in your example, Splunk will evaluate the macros.conf files in the following order, using the first definition it finds:

SPLUNK_HOME/etc/users/admin/MyApp/local/macros.conf
SPLUNK_HOME/etc/apps/MyApp/local/macros.conf
SPLUNK_HOME/etc/apps/MyApp/default/macros.conf
SPLUNK_HOME/etc/system/local/macros.conf
SPLUNK_HOME/etc/apps/*/local/macros.conf [but only for macros with global visibility]
SPLUNK_HOME/etc/apps/*/default/macros.conf  [but only for macros with global visibility]
SPLUNK_HOME/etc/system/default/macros.conf
0 Karma

mdzmuran
Observer

Thanks for the answer. This brings another question. How can I direct Splunk to store any object in a specific directory. The Splunk UI has 3 options only, Privat, AppContext and Global, but we have at least seven options in the above list of directories.

0 Karma

ehudb
Contributor

We have 3 major location options, two of them expand into local+default.
Plus we have permission options within the app: (app\global)

Major:
Private
App
System

Expanded to default\local:
Private
App-default
App-local
System-default
System-local

Expanded to app\global:
Private
App-default (App-only)
App-local (App-only)
App-default (Global)
App-local (Global)
System-default
System-local

The override order would be:
Private
App-default (App-only)
App-local (App-only)
System-local
App-default (Global)
App-local (Global)
System-default

0 Karma

ehudb
Contributor

Question1: Check out the precedence docs:

https://docs.splunk.com/Documentation/Splunk/6.5.1/Admin/Wheretofindtheconfigurationfiles

It seems like the precedence would be in your case : global > app > user .
Which means the global one will run eventually.

Question2: I don't think you can run any configuration that was overridden by another, since it will always load one time any line in a stanze.

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...