Security

File Precedence in splunk

santosh11
New Member

Dear All,

When i was going through the document of splunk related to file precedence.

https://docs.splunk.com/Documentation/Splunk/8.0.0/Admin/Wheretofindtheconfigurationfiles

In About configuration file context section

To determine the order of directories for evaluating configuration file precedence, Splunk software considers each file's context. Configuration files operate in either a global context or in the context of the current app and user:

Global. Activities like indexing take place in a global context. They are independent of any app or user. For example, configuration files that determine monitoring or indexing behavior occur outside of the app and user context and are global in nature.
App/user. Some activities, like searching, take place in an app or user context. The app and user context is vital to search-time processing, where certain knowledge objects or actions might be valid only for specific users in specific apps.

What does the above paragraphs means which are commented for Global and App/User.

Can anyone please explain.

Regards,
Santosh

0 Karma
1 Solution

alonsocaio
Contributor
  • Global Context is related to Index Time processes.
  • App/User Context is related to Search Time process.

When data is being consumed by Splunk, there are several other processes that can occur, such as default field extraction, default host assignment, custom index-time field extractions, event timestamping and linebreaking, structured data field extraction... All of it happen at index-time (Global Context)

When you run a search and events are collected by the search there are some process that also run, like search-time field extraction, field aliasing, tagging, event type matching... Those process run ate search-time (App/User Context). Also in app/user context files, you will have some Knowledge Objets, such as reports and dashboards. Remember that app and user context also consider the KO's and app permissions (Private, App or Global).

You can find more information about index and search time at: https://docs.splunk.com/Documentation/Splunk/8.0.0/Indexer/Indextimeversussearchtime
Knowledge Objects permissions: https://docs.splunk.com/Documentation/Splunk/8.0.0/Knowledge/Manageknowledgeobjectpermissions

View solution in original post

alonsocaio
Contributor
  • Global Context is related to Index Time processes.
  • App/User Context is related to Search Time process.

When data is being consumed by Splunk, there are several other processes that can occur, such as default field extraction, default host assignment, custom index-time field extractions, event timestamping and linebreaking, structured data field extraction... All of it happen at index-time (Global Context)

When you run a search and events are collected by the search there are some process that also run, like search-time field extraction, field aliasing, tagging, event type matching... Those process run ate search-time (App/User Context). Also in app/user context files, you will have some Knowledge Objets, such as reports and dashboards. Remember that app and user context also consider the KO's and app permissions (Private, App or Global).

You can find more information about index and search time at: https://docs.splunk.com/Documentation/Splunk/8.0.0/Indexer/Indextimeversussearchtime
Knowledge Objects permissions: https://docs.splunk.com/Documentation/Splunk/8.0.0/Knowledge/Manageknowledgeobjectpermissions

Get Updates on the Splunk Community!

Monitoring MariaDB and MySQL

In a previous post, we explored monitoring PostgreSQL and general best practices around which metrics to ...

Financial Services Industry Use Cases, ITSI Best Practices, and More New Articles ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Splunk Federated Analytics for Amazon Security Lake

Thursday, November 21, 2024  |  11AM PT / 2PM ET Register Now Join our session to see the technical ...