Solved: File Precedence in splunk

santosh11 · ‎11-29-2019

Dear All,

When i was going through the document of splunk related to file precedence.

https://docs.splunk.com/Documentation/Splunk/8.0.0/Admin/Wheretofindtheconfigurationfiles

In About configuration file context section

To determine the order of directories for evaluating configuration file precedence, Splunk software considers each file's context. Configuration files operate in either a global context or in the context of the current app and user:

Global. Activities like indexing take place in a global context. They are independent of any app or user. For example, configuration files that determine monitoring or indexing behavior occur outside of the app and user context and are global in nature.
App/user. Some activities, like searching, take place in an app or user context. The app and user context is vital to search-time processing, where certain knowledge objects or actions might be valid only for specific users in specific apps.

What does the above paragraphs means which are commented for Global and App/User.

Can anyone please explain.

Regards,
Santosh

alonsocaio · ‎11-30-2019

Global Context is related to Index Time processes.
App/User Context is related to Search Time process.

When data is being consumed by Splunk, there are several other processes that can occur, such as default field extraction, default host assignment, custom index-time field extractions, event timestamping and linebreaking, structured data field extraction... All of it happen at index-time (Global Context)

When you run a search and events are collected by the search there are some process that also run, like search-time field extraction, field aliasing, tagging, event type matching... Those process run ate search-time (App/User Context). Also in app/user context files, you will have some Knowledge Objets, such as reports and dashboards. Remember that app and user context also consider the KO's and app permissions (Private, App or Global).

You can find more information about index and search time at: https://docs.splunk.com/Documentation/Splunk/8.0.0/Indexer/Indextimeversussearchtime
Knowledge Objects permissions: https://docs.splunk.com/Documentation/Splunk/8.0.0/Knowledge/Manageknowledgeobjectpermissions

View solution in original post

alonsocaio · ‎11-30-2019

Global Context is related to Index Time processes.
App/User Context is related to Search Time process.

When data is being consumed by Splunk, there are several other processes that can occur, such as default field extraction, default host assignment, custom index-time field extractions, event timestamping and linebreaking, structured data field extraction... All of it happen at index-time (Global Context)

When you run a search and events are collected by the search there are some process that also run, like search-time field extraction, field aliasing, tagging, event type matching... Those process run ate search-time (App/User Context). Also in app/user context files, you will have some Knowledge Objets, such as reports and dashboards. Remember that app and user context also consider the KO's and app permissions (Private, App or Global).

You can find more information about index and search time at: https://docs.splunk.com/Documentation/Splunk/8.0.0/Indexer/Indextimeversussearchtime
Knowledge Objects permissions: https://docs.splunk.com/Documentation/Splunk/8.0.0/Knowledge/Manageknowledgeobjectpermissions

File Precedence in splunk

Introducing the Splunk Community Dashboard Challenge!

Wondering How to Build Resiliency in the Cloud?

Updated Data Management and AWS GDI Inventory in Splunk Observability