Related Answers
Download topic as PDF
Configuration file precedence
For more information about configuration files, read About configuration files.
Splunk software uses configuration files to determine nearly every aspect of its behavior. A Splunk platform deployment can have many copies of the same configuration file. These file copies are usually layered in directories that affect either the users, an app, or the system as a whole.
When editing configuration files, it is important to understand how Splunk software evaluates these files and which ones take precedence.
When incorporating changes, Splunk software does the following to your configuration files:
- It merges the settings from all copies of the file, using a location-based prioritization scheme.
- When different copies have conflicting attribute values (that is, when they set the same attribute to different values), it uses the value from the file with the highest priority.
- It determines the priority of configuration files by their location in its directory structure, according to whether the file is located in a system, app, or user directory, in that order. To determine priority among the collection of apps directories, Splunk uses ASCII sort order. Files in an apps directory named "A" have a higher priority than files in an apps directory named "B", and so on.
Note: Besides resolving configuration settings amongst multiple copies of a file, Splunk software sometimes needs to resolve settings within a single file. For information on how Splunk software determines precedence within a single props.conf file, see "Attribute precedence within a single props.conf file".
About configuration file context
How precedence is determined depends upon the context of the file.
App or user context versus global context
To determine priority among copies of a configuration file, Splunk software first determines the directory scheme.
Splunk software uses two main schemes of directory precedence.
- App or user: Some activities, like searching, take place in an app or user context. The app and user context is vital to search-time processing, where certain knowledge objects or actions might be valid only for specific users in specific apps.
- Global: Activities like indexing take place in a global context. They are independent of any app or user. For example, configuration files that determine monitoring behavior occur outside of the app and user context and are global in nature.
Cluster peer configuration context
There's also an expanded precedence order for cluster peer node global configurations. This is because some configuration files, like indexes.conf, must be identical across peer nodes.
To keep them consistent, files are managed from the cluster master, which distributes them to the peer nodes so that all peer nodes contain the same versions of the files. These files have the highest precedence in a cluster peer's configuration, which is explained in the next section.
For more information about how configurations are distributed across peer nodes, see "Update common peer configurations" in the Managing Indexers and Clusters manual.
How Splunk determines precedence order
This subsection provides a conceptual understanding of precedence order and context. For ordered listings by directory name, see "Summary of directory order precedence", later in this topic.
Precedence order within global context:
When the context is global (that is, where there's no app/user context), directory priority descends in this order:
1. System local directory -- highest priority
2. App local directories
3. App default directories
4. System default directory -- lowest priority
When consuming a global configuration, such as inputs.conf, Splunk first uses the attributes from any copy of the file in system/local. Then it looks for any copies of the file located in the app directories, adding any attributes found in them, but ignoring attributes already discovered in system/local. As a last resort, for any attributes not explicitly assigned at either the system or app level, it assigns default values from the file in the system/default directory.
Note: As the next section describes, cluster peer nodes have an expanded order of precedence.
Precedence for cluster peer nodes
For cluster peer nodes, the global context considers some additional peer-specific ("slave-app") directories. These directories contain apps and configurations that are identical across all peer nodes. Here is the expanded precedence order for cluster peers:
1. Slave-app local directories (cluster peers only) -- highest priority
2. System local directory
3. App local directories
4. Slave-app default directories (cluster peers only)
5. App default directories
6. System default directory -- lowest priority
With cluster peers, custom settings common to all the peers (those in the slave-app local directories) have the highest precedence.
Precedence order within app or user context
When there's an app/user context, directory priority descends from user to app to system:
1. User directories for current user -- highest priority
2. App directories for currently running app (local, followed by default)
3. App directories for all other apps (local, followed by default) -- for exported settings only
4. System directories (local, followed by default) -- lowest priority
An attribute in savedsearches.conf, for example, might be set at all three levels: the user, the app, and the system. Splunk will always use the value of the user-level attribute, if any, in preference to a value for that same attribute set at the app or system level.
How app directory names affect precedence
Note: For most practical purposes, the information in this subsection probably won't matter, but it might prove useful if you need to force a certain order of evaluation or for troubleshooting.
To determine priority among the collection of apps directories, Splunk uses ASCII sort order. Files in an apps directory named "A" have a higher priority than files in an apps directory named "B", and so on. Also, all apps starting with an uppercase letter have precedence over any apps starting with a lowercase letter, due to ASCII sort order. ("A" has precedence over "Z", but "Z" has precedence over "a", for example.)
In addition, numbered directories have a higher priority than alphabetical directories and are evaluated in lexicographic, not numerical, order. For example, in descending order of precedence:
$SPLUNK_HOME/etc/apps/myapp1 $SPLUNK_HOME/etc/apps/myapp10 $SPLUNK_HOME/etc/apps/myapp2 $SPLUNK_HOME/etc/apps/myapp20 ... $SPLUNK_HOME/etc/apps/myappApple $SPLUNK_HOME/etc/apps/myappBanana $SPLUNK_HOME/etc/apps/myappZabaglione ... $SPLUNK_HOME/etc/apps/myappapple $SPLUNK_HOME/etc/apps/myappbanana $SPLUNK_HOME/etc/apps/myappzabaglione ...
Note: When determining precedence in the app/user context, directories for the currently running app take priority over those for all other apps, independent of how they're named. Furthermore, other apps are only examined for exported settings.
Summary of directory precedence
Putting this all together, the order of directory priority, from highest to lowest, goes like this:
Global context:
$SPLUNK_HOME/etc/system/local/* $SPLUNK_HOME/etc/apps/A/local/* ... $SPLUNK_HOME/etc/apps/z/local/* $SPLUNK_HOME/etc/apps/A/default/* ... $SPLUNK_HOME/etc/apps/z/default/* $SPLUNK_HOME/etc/system/default/*
Global context - cluster peer nodes only:
$SPLUNK_HOME/etc/slave-apps/A/local/* ... $SPLUNK_HOME/etc/slave-apps/z/local/* $SPLUNK_HOME/etc/system/local/* $SPLUNK_HOME/etc/apps/A/local/* ... $SPLUNK_HOME/etc/apps/z/local/* $SPLUNK_HOME/etc/slave-apps/A/default/* ... $SPLUNK_HOME/etc/slave-apps/z/default/* $SPLUNK_HOME/etc/apps/A/default/* ... $SPLUNK_HOME/etc/apps/z/default/* $SPLUNK_HOME/etc/system/default/*
Important: Within the slave-apps/[local|default] directories, the special _cluster subdirectory has a higher precedence than any app subdirectories starting with a lowercase letter (for example, anApp). However, it has a lower precedence than any apps starting with an uppercase letter (for example, AnApp). This is due to the location of the underscore ("_") character in the ASCII sort order.
App/user context:
$SPLUNK_HOME/etc/users/* $SPLUNK_HOME/etc/apps/Current_running_app/local/* $SPLUNK_HOME/etc/apps/Current_running_app/default/* $SPLUNK_HOME/etc/apps/A/local/*, $SPLUNK_HOME/etc/apps/A/default/*, ... $SPLUNK_HOME/etc/apps/z/local/*, $SPLUNK_HOME/etc/apps/z/default/* (but see note below) $SPLUNK_HOME/etc/system/local/* $SPLUNK_HOME/etc/system/default/*
Important: In the app/user context, all configuration files for the currently running app take priority over files from all other apps. This is true for the app's local and default directories. So, if the current context is app C, Splunk evaluates both $SPLUNK_HOME/etc/apps/C/local/* and $SPLUNK_HOME/etc/apps/C/default/* before evaluating the local or default directories for any other apps. Furthermore, Splunk only looks at configuration data for other apps if that data has been exported globally through the app's default.meta file, as described in this topic on setting app permissions.
Also, note that /etc/users/ is evaluated only when the particular user logs in or performs a search.
Example of how attribute precedence works
This example of attribute precedence uses props.conf. The props.conf file is unusual, because its context can be either global or app/user, depending on when Splunk is evaluating it. Splunk evaluates props.conf at both index time (global) and search time (apps/user).
Assume $SPLUNK_HOME/etc/system/local/props.conf contains this stanza:
[source::/opt/Locke/Logs/error*] sourcetype = fatal-error
and $SPLUNK_HOME/etc/apps/t2rss/local/props.conf contains another version of the same stanza:
[source::/opt/Locke/Logs/error*] sourcetype = t2rss-error SHOULD_LINEMERGE = True BREAK_ONLY_BEFORE_DATE = True
The line merging attribute assignments in t2rss always apply, as they only occur in that version of the file. However, there's a conflict with the sourcetype attribute. In the /system/local version, the sourcetype has a value of "fatal-error". In the /apps/t2rss/local version, it has a value of "t2rss-error".
Since this is a sourcetype assignment, which gets applied at index time, Splunk uses the global context for determining directory precedence. In the global context, Splunk gives highest priority to attribute assignments in system/local. Thus, the sourcetype attribute gets assigned a value of "fatal-error".
The final, internally merged version of the file looks like this:
[source::/opt/Locke/Logs/error*] sourcetype = fatal-error SHOULD_LINEMERGE = True BREAK_ONLY_BEFORE_DATE = True
List of configuration files and their context
As mentioned, Splunk decides how to evaluate a configuration file based on the context that the file operates within, global or app/user. Generally speaking, files that affect data input, indexing, or deployment activities are global; files that affect search activities usually have a app/user context.
The props.conf and transforms.conf files can be evaluated in either a app/user or a global context, depending on whether Splunk is using them at index or search time.
Global configuration files
admon.conf authentication.conf authorize.conf crawl.conf deploymentclient.conf distsearch.conf indexes.conf inputs.conf outputs.conf pdf_server.conf procmonfilters.conf props.conf -- global and app/user context pubsub.conf regmonfilters.conf report_server.conf restmap.conf searchbnf.conf segmenters.conf server.conf serverclass.conf serverclass.seed.xml.conf source-classifier.conf sourcetypes.conf sysmon.conf tenants.conf transforms.conf -- global and app/user context user-seed.conf -- special case: Must be located in /system/default web.conf wmi.conf
App/user configuration files
alert_actions.conf app.conf audit.conf commands.conf eventdiscoverer.conf event_renderers.conf eventtypes.conf fields.conf limits.conf literals.conf macros.conf multikv.conf props.conf -- global and app/user context savedsearches.conf tags.conf times.conf transactiontypes.conf transforms.conf -- global and app/user context user-prefs.conf workflow_actions.conf
Troubleshooting configuration precedence and other issues
Splunk's configuration file system supports many overlapping configuration files in many different locations. The price of this level of flexibility is that figuring out which value for which configuration option is being used in your Splunk installation can sometimes be quite complex. If you're looking for some tips on figuring out what configuration setting is being used in a given situation, read "Use btool to troubleshoot configurations" in the Troubleshooting Manual.
|
PREVIOUS Configuration file structure |
NEXT Attribute precedence within a single props.conf file |
This documentation applies to the following versions of Splunk® Enterprise: 6.0, 6.0.1, 6.0.2, 6.0.3, 6.0.4, 6.0.5, 6.0.6, 6.0.7, 6.0.8, 6.0.9, 6.0.10, 6.0.11, 6.0.12, 6.0.13, 6.0.14, 6.0.15, 6.1, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, 6.1.10, 6.1.11, 6.1.12, 6.1.13, 6.1.14, 6.2.0, 6.2.1, 6.2.2, 6.2.3, 6.2.4, 6.2.5, 6.2.6, 6.2.7, 6.2.8, 6.2.9, 6.2.10, 6.2.11, 6.2.12, 6.2.13, 6.2.14, 6.2.15, 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.3.8, 6.3.9, 6.3.10, 6.3.11, 6.3.12, 6.3.13, 6.3.14, 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 6.4.6, 6.4.7, 6.4.8, 6.4.9, 6.4.10, 6.4.11
Comments
Rfrey - I assume your main concern here is precedence in the so-called app/user, aka search-time, context, described in this topic. The search head transmits the search-time settings to the search peers via the knowledge bundle.<br /><br />The search peers then use the contents of the knowledge bundle to execute searches on behalf of their search head. In so doing, they follow the app/user precedence. So, for example, a knowledge bundle setting in $SPLUNK_HOME/etc/users/*, for the user running the search, will have precedence over a conflicting setting in $SPLUNK_HOME/etc/apps/Current_running_app/local/* in the bundle.<br /><br />The use of mounted bundles doesn't change this. It just means that the search peer will access the conf files from the mounted bundle rather than from a downloaded copy of the bundle. Similarly, search head pooling doesn't affect the set of files that the search peers receive from the search heads. The contents of the knowledge bundle remain the same in both cases.
Can you elaborate on how file precedence works in relation to mounted bundles and search head pooling, specifically if there is a clear order of precedence based off of location on the file system? I am aware that you can use btool to determine how things are being applied but in a design phase that is a very trial and error approach to determining which copy of each configuration file should host which settings in a distributed environment.
Fixed the typo, thanks, BenAveling!
user_seed.conf or user-seed.conf ?
For clarity, "Splunk uses ASCII sort order." probably needs a little more precision. How about:
Splunk uses 7-bit ASCII sort order for filename precedence, and pays no attention to collation or language settings. Extended and non-ASCII characters in filenames are ignored. (are they?)