Suppose I have 3 macros of the same name, one defined for user admin, other for application MyApp and the third one as Global. I am logged in as admin, in application MyApp and referencing the macro in the query. Which macro Splunk uses? What are the preferences?
The same question is in place for other objects like reports, dashboards, data models,
Question2: Is there a specific syntax to direct the search to use other instance?
Question1: Check out the precedence docs:
It seems like the precedence would be in your case : global > app > user .
Which means the global one will run eventually.
Question2: I don't think you can run any configuration that was overridden by another, since it will always load one time any line in a stanze.
Question 2: No, there is no way for the user of a macro to direct Splunk to use a different version.
Question 1: Which macro Splunk uses, depends on configuration file precedence. You can read up on config file precedence in the Admin manual here. That page also has a reference to btool which can be very helpful to see how Splunk combines the configuration files. You might also want read Use btool to troubleshoot configurations.
To see exactly what is happening in your case, you might try running the following command on the command line of your search head:
splunk cmd btool --app=MyApp --user=admin macro list --debug
And specifically, in your example, Splunk will evaluate the macros.conf files in the following order, using the first definition it finds:
SPLUNK_HOME/etc/users/admin/MyApp/local/macros.conf SPLUNK_HOME/etc/apps/MyApp/local/macros.conf SPLUNK_HOME/etc/apps/MyApp/default/macros.conf SPLUNK_HOME/etc/system/local/macros.conf SPLUNK_HOME/etc/apps/*/local/macros.conf [but only for macros with global visibility] SPLUNK_HOME/etc/apps/*/default/macros.conf [but only for macros with global visibility] SPLUNK_HOME/etc/system/default/macros.conf
Thanks for the answer. This brings another question. How can I direct Splunk to store any object in a specific directory. The Splunk UI has 3 options only, Privat, AppContext and Global, but we have at least seven options in the above list of directories.
We have 3 major location options, two of them expand into local+default.
Plus we have permission options within the app: (app\global)
Expanded to default\local:
Expanded to app\global:
The override order would be: