File Precedence Flashcards
What is file precedence?
Splunk software uses configuration files to determine nearly every aspect of its behavior. A Splunk platform deployment can have many copies of the same configuration file. These file copies are usually layered in directories that affect either the users, an app, or the system as a whole. When editing configuration files, it is important to understand how Splunk software evaluates these files and which ones take precedence. When incorporating changes, Splunk software does the following to your configuration files: It merges the settings from all copies of the file, using a location-based prioritization scheme. When different copies have conflicting attribute values (that is, when they set the same attribute to different values), it uses the value from the file with the highest priority. It determines the priority of configuration files by their location in the directory structure, according to the rules described in this topic.
Server.conf is found in two locations with different settings. Setting “A” resides in the a bundled app on the indexer, while Setting “B” sits in the local directory of an individual indexer. Which setting is applied by Splunk, Setting A or Setting B, and why?
Setting B, as /etc/system/local takes precendence over .conf placed in /etc/apps
How would you describe a priority key, how would you use it, and what are its limitations?
With it we can override default priorities in props.conf file. So if we have two stanzas, that have same attributes but different values applying to the same configuration, we can choose ourselves which value is going to be applied We just need to use attribute called “priority” in both stanzas, and set the higher number for the stanza that we want to be applied. We can use priorites key for attributes of the same type, because the priority key doesn’t work for different spec types. So for example source pattern take priority over host and sourcetype pattern, and it makes sense, as the source pattern is more specific than sourcetype or host.
You have a stanza [source:://var/log/documents] and another stanza [sourcetype::atrium] that have conflicting attributes that Splunk will need to resolve. What is prioritized first, and why? *
The “source” stanza’s attributes would be applied, as “source” takse precedence over sourcetype. It is logical, as “sourcetype” includes many different sources, and “source” specifies only one source. So if not stated otherwise with “source” stanza the “sourcetype” attributes will be applied to OTHER sources.
Which takes precedence: [source:://var/log/Documents/*] OR [source:://var/log/Documents/writeup.txt] – and why?
source:://var/log/Documents/writeup.txt
Literal matching stanzas takes precedence over pattern-matching stanzas, unless specified otherwise
What are the two contexts of file precedence and how are they different?
Global and APP/user. Global context specifies configurations that apply to component/server itself, as a whole, so for example web.conf (enablesplunkwebssl), outputs.conf (sending internal logs to indexers), server.conf (naming the server). App/User context specifies configurations that apply to users in environment, or the apps itself. So for example app.conf —-> with it we configure basic settings for our app.
Consider this segment of a indexes.conf file. What is the max buckets that are applied to the inventory index, the timetable index and the lastpass index respectively? Why?
For Inventory: hot buckets: 10, Warm buckets = 200
For timetable: hot: 4, warm: 200
lastpass: hot: 2, warm: 200
Local configurations take precedence over default configurations. If attribute wasn’t specified locally, it will use the [default] stanza for the configuration.
Splunk uses what kind of lexicographical sorting scheme? What is it called? *
ascii lexicographical order
What files can be used both in global and app/user context?
props.conf and transforms.conf (and probably others)
What is the precedence within global context?
When the file context is global, directory priority descends in this order:
- System local directory – highest priority
- App local directories
- App default directories
- System default directory – lowest priority
When consuming a global configuration, such as inputs.conf, Splunk software first uses the attributes from any copy of the file in system/local. Then it looks for any copies of the file located in the app directories, adding any attributes found in them, but ignoring attributes already discovered in system/local. As a last resort, for any attributes not explicitly assigned at either the system or app level, it assigns default values from the file in the system/default directory.
What is the precedence within global context, for indexter cluster peers only?
There is an expanded precedence order for indexer cluster peer configurations, which are considered in the global context. This is because some configuration files, like indexes.conf, must be identical across peer nodes.
To keep configuration settings consistent across peer nodes, configuration files are managed from the cluster manager node, which pushes the files to the slave-app directories on the peer nodes. Files in the slave-app directories have the highest precedence in a cluster peer’s configuration. These directories exist only on indexer cluster peer nodes.
Here is the expanded precedence order for cluster peers:
- Slave-app local directories – highest priority
- System local directory
- App local directories
- Slave-app default directories
- App default directories
- System default directory – lowest priority
What is the precedence within app or user context?
For files with an app/user context, directory priority descends from user to app to system:
- User directories for current user – highest priority
- App directories for currently running app (local, followed by default)
- App directories for all other apps (local, followed by default) – for exported settings only
- System directories (local, followed by default) – lowest priority
An attribute in savedsearches.conf, for example, might be set at all three levels: the user, the app, and the system. Splunk will always use the value of the user-level attribute, if any, in preference to a value for that same attribute set at the app or system level.
What happens to ascii lexicographical order in app/user context?
The splunk will use reverse-laxicographical order to determine priority among the collection of apps directories.
What is the precedente for host, sourcetype and source?
source —> host —–> sourcetype
What are the default priority numbers for literal-matching stanzas and pattern-matching stanzas?
100 and 0
