Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Admin Other
- :
- Security
- :
- File Precedence in splunk
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Dear All,
When i was going through the document of splunk related to file precedence.
https://docs.splunk.com/Documentation/Splunk/8.0.0/Admin/Wheretofindtheconfigurationfiles
In About configuration file context section
To determine the order of directories for evaluating configuration file precedence, Splunk software considers each file's context. Configuration files operate in either a global context or in the context of the current app and user:
Global. Activities like indexing take place in a global context. They are independent of any app or user. For example, configuration files that determine monitoring or indexing behavior occur outside of the app and user context and are global in nature.
App/user. Some activities, like searching, take place in an app or user context. The app and user context is vital to search-time processing, where certain knowledge objects or actions might be valid only for specific users in specific apps.
What does the above paragraphs means which are commented for Global and App/User.
Can anyone please explain.
Regards,
Santosh
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Global Context is related to Index Time processes.
- App/User Context is related to Search Time process.
When data is being consumed by Splunk, there are several other processes that can occur, such as default field extraction, default host assignment, custom index-time field extractions, event timestamping and linebreaking, structured data field extraction... All of it happen at index-time (Global Context)
When you run a search and events are collected by the search there are some process that also run, like search-time field extraction, field aliasing, tagging, event type matching... Those process run ate search-time (App/User Context). Also in app/user context files, you will have some Knowledge Objets, such as reports and dashboards. Remember that app and user context also consider the KO's and app permissions (Private, App or Global).
You can find more information about index and search time at: https://docs.splunk.com/Documentation/Splunk/8.0.0/Indexer/Indextimeversussearchtime
Knowledge Objects permissions: https://docs.splunk.com/Documentation/Splunk/8.0.0/Knowledge/Manageknowledgeobjectpermissions
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Global Context is related to Index Time processes.
- App/User Context is related to Search Time process.
When data is being consumed by Splunk, there are several other processes that can occur, such as default field extraction, default host assignment, custom index-time field extractions, event timestamping and linebreaking, structured data field extraction... All of it happen at index-time (Global Context)
When you run a search and events are collected by the search there are some process that also run, like search-time field extraction, field aliasing, tagging, event type matching... Those process run ate search-time (App/User Context). Also in app/user context files, you will have some Knowledge Objets, such as reports and dashboards. Remember that app and user context also consider the KO's and app permissions (Private, App or Global).
You can find more information about index and search time at: https://docs.splunk.com/Documentation/Splunk/8.0.0/Indexer/Indextimeversussearchtime
Knowledge Objects permissions: https://docs.splunk.com/Documentation/Splunk/8.0.0/Knowledge/Manageknowledgeobjectpermissions
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
[Puzzles] Solve, Learn, Repeat: Matching cron expressions
Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass
May 2026 Splunk Expert Sessions: Security & Observability
