Documentation > Splunk > Admin Manual > Bundle precedence

Admin Manual

 


Getting Started
How Splunk Works
Configuring a Splunk Deployment
Data Inputs
Hosts
Source Types
Timestamp Recognition
Events
Event Types
Meta Events
Fields
Segmentation
Saved Searches and Alerts
Authentication
Granular Access Control
Data Distribution
Distributed Search
Deployment Server
Index Management
Bundles
SplunkBase
Performance Tuning
Routine Maintenance
How-To
Troubleshooting
Reference

Bundle precedence

This documentation does not apply to the most recent version of Splunk. Click here for the latest version.

Contents

Bundle precedence

Within a configuration file, attributes are set for sources, source types, and hosts. Configuration files exist in multiple places: default, local and any bundles you create. It is possible that an attribute for any specification will be found in more than one file. The evaluation order of configuration files are:


So local has precedence over all. When determining which attributes apply to a host, source or source type, keep in mind that precedence is applied attribute-by-attribute. That is, if the file props.conf exists in local and a user created bundle directory, the props.conf file in local does not override or replace the entire props.conf file in the bundle. If the same attribute/specification exists in both the local props.conf and the user created bundle props.conf, the local props.conf overrides the attribute.


For example, if $SPLUNK_HOME/etc/bundles/local/props.conf contains this stanza: 


[source::/opt/Locke/Logs/error*]
sourcetype = t2rss-error

And $SPLUNK_HOME/etc/bundles/t2rss_bundle/props.conf contains this stanza: 


[source::/opt/Locke/Logs/error*]
SHOULD_LINEMERGE = True
BREAK_ONLY_BEFORE_DATE = True

Both the sourcetype assignment in local and the line merging attributes in t2rss_bundle will apply. However, if both local and t2rss_bundle had a sourcetype assignment for source::/opt/Locke/Logs/error*, the assignment in local overrides t2rss_bundle.


Precedence rules for events with multiple attribute assignments

Beyond the rules discussed above for precedence, there is an additional precedence issue that affects the props.conf file alone. Since props.conf sets attributes that are used to govern processing of individual events, and these attributes can be wrapped into stanzas that link to events based on each event's particular host, source or sourcetype, it is possible for an event to have the same attribute set differently for its host or for its sourcetype. If an event has an attribute assignment in a configuration file based on the source and the same attribute is also specified for the event's host, there is a conflict without precedence rules.


The precedence order is:


Retrieved from "http://docs.splunk.com/Documentation/Splunk/3.1.4/Admin/BundlePrecedence"

This documentation applies to the following versions of Splunk: 3.0 , 3.0.1 , 3.0.2 , 3.1 , 3.1.1 , 3.1.2 , 3.1.3 , 3.1.4 View the Article History for its revisions.


You must be logged into splunk.com in order to post comments. Log in now.

Was this documentation topic helpful?

If you'd like to hear back from us, please provide your email address:

We'd love to hear what you think about this topic or the documentation as a whole. Feedback you enter here will be delivered to the documentation team.

Feedback submitted, thanks!