Splunk Search

When overriding configs in apps or add-ons with minimal system impact, how is the order of precedence determined?


I know there is some general documentation out there on config precedence, but I'd like to know the range of configuration settings you can specify in an app's "default" directory, and what effect this has on system configuration.

For instance, if you create an authorize.conf, limits.conf, and transforms.conf within an app's "default" directory, and then specify all of these stanzas as "export = system" in default.meta, what actually happens to the existing system config when you install this app on a server?

Here's why I ask: I would like to override a few properties in authorize.conf and limits.conf ONLY when one specific lookup occurs. I bundled the lookup file and transforms entry in a really bare-bones app, also containing the authorize.conf and limits.conf changes. The intent is to allow a few special configuration settings this lookup needs in a way that is minimally intrusive on the existing system's configuration.

So, a few questions:

  1. If the properties in my app's authorize.conf have also been manually specified in /etc/system/local/authorize.conf, which file wins when my app's lookup appears in a search query?
  2. If my app's authorize.conf does take precedence, does it only take precedence when the lookup from that app is used in a query? (i.e., if that app's lookup is absent from a search query, which authorize.conf takes precedence now? Hopefully it is the /etc/system/local/ one)
  3. An extension of number 2. Same scenario, and if all of that holds, then what if there is no /etc/system/local/authorize.conf? Does Splunk know to fall back on /etc/system/default/authorize.conf? Or will my app's authorize.conf suddenly come back into play even though its lookup is not involved in the query?
0 Karma

Splunk Employee
Splunk Employee
0 Karma
Get Updates on the Splunk Community!

Splunk Observability Cloud | Customer Survey!

If you use Splunk Observability Cloud, we invite you to share your valuable insights with us through a brief ...

Happy CX Day, Splunk Community!

Happy CX Day, Splunk Community! CX stands for Customer Experience, and today, October 3rd, is CX Day — a ...

.conf23 | Get Your Cybersecurity Defense Analyst Certification in Vegas

We’re excited to announce a new Splunk certification exam being released at .conf23! If you’re going to Las ...