What happens when I set the permissions to "Global...

sondradotcom · ‎05-05-2011

Team,

I'm trying to better understand the under-the-hood part of splunk. I thought that when you set the permissions to global of, say, a field extraction that the system actually moved those lines from the "etc/apps/search/local/props.conf" file to the "etc/default/local/props.conf" file. Am I wrong about that? As it stands, I have some field extractions that are set to "global" but that still live in "etc/apps/search/local/props.conf"

Thanks!
-S.

jbsplunk · ‎05-05-2011

Setting permissions to global isn't going to move those field extractions into the default directory. The default directory is the initial, 'default' Splunk configuration. Additional configuration can be made available globally, but they will still exist within the conf file where they were created, in your case /etc/apps/search/local/props.conf. It is not recommended to edit the files in /default, as they would be overwritten on upgrade and any customizations would not be retained.

hazekamp · ‎05-05-2011

sondra,

Setting permissions to global makes a change to your app's (in this case search's) local.meta in SPLUNK_HOME/etc/apps/<app>/metadata/local.meta. It is the .meta files that control what is "global", not the location of the resources. Location of resources instead affects the precedence by which configuration files are read.

proctorgeorge · ‎05-05-2011

Remember to accept hazedav's answer as correct!

sondradotcom · ‎05-05-2011

Ah, perfect! Thanks!
-S.

What happens when I set the permissions to "Global"?

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases