Security

File Precedence in splunk

santosh11
New Member

Dear All,

When i was going through the document of splunk related to file precedence.

https://docs.splunk.com/Documentation/Splunk/8.0.0/Admin/Wheretofindtheconfigurationfiles

In About configuration file context section

To determine the order of directories for evaluating configuration file precedence, Splunk software considers each file's context. Configuration files operate in either a global context or in the context of the current app and user:

Global. Activities like indexing take place in a global context. They are independent of any app or user. For example, configuration files that determine monitoring or indexing behavior occur outside of the app and user context and are global in nature.
App/user. Some activities, like searching, take place in an app or user context. The app and user context is vital to search-time processing, where certain knowledge objects or actions might be valid only for specific users in specific apps.

What does the above paragraphs means which are commented for Global and App/User.

Can anyone please explain.

Regards,
Santosh

0 Karma
1 Solution

alonsocaio
Contributor
  • Global Context is related to Index Time processes.
  • App/User Context is related to Search Time process.

When data is being consumed by Splunk, there are several other processes that can occur, such as default field extraction, default host assignment, custom index-time field extractions, event timestamping and linebreaking, structured data field extraction... All of it happen at index-time (Global Context)

When you run a search and events are collected by the search there are some process that also run, like search-time field extraction, field aliasing, tagging, event type matching... Those process run ate search-time (App/User Context). Also in app/user context files, you will have some Knowledge Objets, such as reports and dashboards. Remember that app and user context also consider the KO's and app permissions (Private, App or Global).

You can find more information about index and search time at: https://docs.splunk.com/Documentation/Splunk/8.0.0/Indexer/Indextimeversussearchtime
Knowledge Objects permissions: https://docs.splunk.com/Documentation/Splunk/8.0.0/Knowledge/Manageknowledgeobjectpermissions

View solution in original post

alonsocaio
Contributor
  • Global Context is related to Index Time processes.
  • App/User Context is related to Search Time process.

When data is being consumed by Splunk, there are several other processes that can occur, such as default field extraction, default host assignment, custom index-time field extractions, event timestamping and linebreaking, structured data field extraction... All of it happen at index-time (Global Context)

When you run a search and events are collected by the search there are some process that also run, like search-time field extraction, field aliasing, tagging, event type matching... Those process run ate search-time (App/User Context). Also in app/user context files, you will have some Knowledge Objets, such as reports and dashboards. Remember that app and user context also consider the KO's and app permissions (Private, App or Global).

You can find more information about index and search time at: https://docs.splunk.com/Documentation/Splunk/8.0.0/Indexer/Indextimeversussearchtime
Knowledge Objects permissions: https://docs.splunk.com/Documentation/Splunk/8.0.0/Knowledge/Manageknowledgeobjectpermissions

Get Updates on the Splunk Community!

What's New in Splunk Enterprise 9.4: Features to Power Your Digital Resilience

Hey Splunky People! We are excited to share the latest updates in Splunk Enterprise 9.4. In this release we ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

SignalFlow: What? Why? How?

What is SignalFlow? Splunk Observability Cloud’s analytics engine, SignalFlow, opens up a world of in-depth ...