Splunk Search

When overriding configs in apps or add-ons with minimal system impact, how is the order of precedence determined?

kcnolan13
Communicator

I know there is some general documentation out there on config precedence, but I'd like to know the range of configuration settings you can specify in an app's "default" directory, and what effect this has on system configuration.

For instance, if you create an authorize.conf, limits.conf, and transforms.conf within an app's "default" directory, and then specify all of these stanzas as "export = system" in default.meta, what actually happens to the existing system config when you install this app on a server?

Here's why I ask: I would like to override a few properties in authorize.conf and limits.conf ONLY when one specific lookup occurs. I bundled the lookup file and transforms entry in a really bare-bones app, also containing the authorize.conf and limits.conf changes. The intent is to allow a few special configuration settings this lookup needs in a way that is minimally intrusive on the existing system's configuration.

So, a few questions:

  1. If the properties in my app's authorize.conf have also been manually specified in /etc/system/local/authorize.conf, which file wins when my app's lookup appears in a search query?
  2. If my app's authorize.conf does take precedence, does it only take precedence when the lookup from that app is used in a query? (i.e., if that app's lookup is absent from a search query, which authorize.conf takes precedence now? Hopefully it is the /etc/system/local/ one)
  3. An extension of number 2. Same scenario, and if all of that holds, then what if there is no /etc/system/local/authorize.conf? Does Splunk know to fall back on /etc/system/default/authorize.conf? Or will my app's authorize.conf suddenly come back into play even though its lookup is not involved in the query?
0 Karma

jwelch_splunk
Splunk Employee
Splunk Employee
0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In January, the Splunk Threat Research Team had one release of new security content via the Splunk ES Content ...

Expert Tips from Splunk Professional Services, Ensuring Compliance, and More New ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Observability Release Update: AI Assistant, AppD + Observability Cloud Integrations & ...

This month’s releases across the Splunk Observability portfolio deliver earlier detection and faster ...