On the deployer server we have the
/opt/splunk/etc/shcluster/apps/key_all_authentication/local and on the search heads we ended up having
etc/system/local. Apparently the one under
etc/system/local takes precedence, which seems to me a bit strange as search time precedence order starts usually with the apps...
What am I missing?
Configs under system/local always gets precedence over the apps//system/local.
In regards to authorize.conf, since these are clustered search heads and you use deployer, would be better to use under apps to avoid confusion.
Fair enough. Since it's search time the following, in my mind, should apply
Precedence order within app or user context
When there's an app/user context, directory priority descends from user to app to system:
An attribute in savedsearches.conf, for example, might be set at all three levels: the user, the app, and the system. Splunk will always use the value of the user-level attribute, if any, in preference to a value for that same attribute set at the app or system level.
Yes, Splunk applies different precedence for the configuration files in global context vs app/user context. Below link should explain in detail. Since authorize.conf is a system configuration file and not a user/app context.
Precedence order within global context:
When the context is global (that is, where there's no app/user context), directory priority descends in this order: