HW 7A(Skip for now) Flashcards
Explain file precedence in your own words
The method by which Splunk decides which configuration is more important and will be executed first.
Server.conf is found in two locations with different settings. Setting “A” resides in the a bundled app on the indexer, while Setting “B” sits in the local directory of an individual indexer. Which setting is applied by Splunk, Setting A or Setting B, and why?
Setting B; when it comes to Splunk the location of system/local takes precedence of etc/apps(where bundled apps are typically found).
How would you describe a priority key, how would you use it, and what are its limitations?
I would describe a priority key as a method by which a given stanza is given higher or lower priority. Priority key can be used to resolve collisions between patterns of the same type, such as sourcetype and host patterns. Priority key limitation is that it does not affect precedence over spec types. For example, regardless of priority keys, source patterns will take priority over both host and sourcetype patterns.
You have a stanza [source:://var/log/documents] and another stanza [sourcetype::atrium] that have conflicting attributes that Splunk will need to resolve. What is prioritized first, and why?
Source will be prioritized first because in Splunk source takes precedence over sourcetype when there are conflicting attributes.
Which takes precedence: [source:://var/log/Documents/*] OR [source:://var/log/Documents/writeup.txt] – and why?
[source:://var/log/Documents/writeup.txt] will take precedence because it is a literal-matching stanza; literal-matching stanzas by default take precedence over pattern-matching stanzas.
Why is precedence important to understand?
Understanding precedence in Splunk is important because it determines how conflicting configurations are resolved by Splunk in the backend. When multiple configurations overlap, understanding which one takes precedence can be key to reaching desired results and troubleshooting issues more efficiently.
What are the two contexts of file precedence and how are they different?
The two contexts of file precedence are global and app/user. Global files typically deal with settings that are applied system-wide or settings that work on the indexing level tier. Whereas app/user typically deals with settings that are applied to search-related activities that involve a specific app or user.
Which takes precedence, local or default? Why?
Local takes precedence over default in Splunk so that users can have more flexibility and customization options.
Consider this segment of a indexes.conf file. What is the max buckets that are applied to the inventory index, the timetable index and the lastpass index respectively? Why?
https://www.brainscape.com/flashcards/file-precedence-9878166/packs/17343751
Local configurations take precedence over default configurations. If attributes are not specified locally, then the [default] stanza will be utilized for the configuration.
What are the two things Splunk will do with configuration files in a system upon boot up?
1-Load the configuration files. Splunk will load all of the configuration files that it finds in the default, local, and app directories. Splunk uses a layering scheme and rules to evaluate overlapping configurations and prioritize them.
2-Start up the Splunk Enterprise components. Splunk will start up the Splunk Enterprise components, such as the indexers, search heads, and forwarders. The configuration files that Splunk loaded in step 1 will determine how these components start up and operate.
Splunk uses what kind of lexicographical sorting scheme? What is it called?
ascii lexicographical order
What is the precedence within global context?
A
When the file context is global, directory priority descends in this order:
1-System local directory – highest priority
2-App local directories
3-App default directories
4-System default directory – lowest priority
When consuming a global configuration, such as inputs.conf, Splunk software first uses the attributes from any copy of the file in system/local. Then it looks for any copies of the file located in the app directories, adding any attributes found in them, but ignoring attributes already discovered in system/local. As a last resort, for any attributes not explicitly assigned at either the system or app level, it assigns default values from the file in the system/default directory.
What is the precedence within global context, for indexer cluster peers only?
There is an expanded precedence order for indexer cluster peer configurations, which are considered in the global context. This is because some configuration files, like indexes.conf, must be identical across peer nodes.
To keep configuration settings consistent across peer nodes, configuration files are managed from the cluster manager node, which pushes the files to the slave-app directories on the peer nodes. Files in the slave-app directories have the highest precedence in a cluster peer’s configuration. These directories exist only on indexer cluster peer nodes.
Here is the expanded precedence order for cluster peers:
1-Slave-app local directories – highest priority
2-System local directory
3-App local directories
4-Slave-app default directories
5-App default directories
6-System default directory – lowest priority
What is the precedence within app or user context?
For files with an app/user context, directory priority descends from user to app to system:
1-User directories for current user – highest priority
2-App directories for currently running app (local, followed by default)
3-App directories for all other apps (local, followed by default) – for exported settings only
4-System directories (local, followed by default) – lowest priority
An attribute in savedsearches.conf, for example, might be set at all three levels: the user, the app, and the system. Splunk will always use the value of the user-level attribute, if any, in preference to a value for that same attribute set at the app or system level.
What happens to ascii lexicographical order in app/user context?
The splunk will use reverse-laxicographical order to determine priority among the collection of apps directories.
