Solved: How to set allow_skew globally, but override for o...

DATEVeG · ‎08-15-2022

Hi,

we would like to set allow_skew =15% globally for all of our searches, except for searches which reside in one specific app b. How do i do that?

We tried to set a global value in apps/a/default/savedsearches.conf

[default]
allow_skew=15%

And then a add specific configuration in app b to override the global default (apps/b/local/savedsearches.conf)

[default]
allow_skew=0

But it doesn't work. btool shows, that the setting in b/local/savedsearches.conf wins over apps/a/default/savedsearches.conf.

According to Configuration file precedence - Splunk Documentation savedsearches.conf is per app/user configuration file. Adding a default.meta for app b with

[savedsearches]
export=none

also didn't help.

Is there a bug or am i missing something?

Thanks!

- Lorenz

PickleRick · ‎08-15-2022

If you don't run it with --app=<myapp> you'll get a resulting config in global context, not in app's context.

PickleRick · ‎08-15-2022

Did you run your btool with an app context? Otherwise it can be misleading.

DATEVeG · ‎08-15-2022

I did run btool with --debug

Where exactly is it misleading?

PickleRick · ‎08-15-2022

If you don't run it with --app=<myapp> you'll get a resulting config in global context, not in app's context.

DATEVeG · ‎08-17-2022

Thank you for this hint!

Seems it's working fine, it was me having problems in using btool correctly.

If you use btool with "--app" it won't show settings inherited from other apps.

But if you use Splunk Web UI, you can see all the values if you use the advanced edit view.

How to set allow_skew globally, but override for one app?