Getting Data In

Need help with what should be a simple precedence issue regarding props.conf and aliases.

leonphelps_s
Path Finder

Simple scenario

app_a/default/props.conf
25_app_a/default/props.conf

The 25_app_a is an exact copy aside from the change noted below.

both contain field aliases for the same sourcetype. the fields/classes are the same aside from a simple "as" clause. app_a says severity as severity_id and 25_app_a you can see below. Due to ASCII ordering of apps 25_ should override, and from a btool perspective it does.

However in the UI the base app is still winning.

~/bin/splunk btool props list --debug |grep severity
/opt/splunk/etc/apps/25_app_a/default/props.conf FIELDALIAS-cim_for_sev = severity AS severity_OVERRIDE

Please don' t offer solutions such as "use app_a and /local/" there is a reason I'm doing it this way and I want emphasis to be on understanding precedence and btool.

rsennett_splunk
Splunk Employee
Splunk Employee

Consider this...
On one hand, you are looking at btool, which demonstrates how Splunk see's all the props.conf directives mashed up together in order of precedence, and you are using an example of something that won't be overridden, just added to. More than one alias to a field is legitimate and so you are not really even doing your experiment. You are comparing apples and toothpicks.

Pick something to capture and create a field... call it FRED in both apps and then change the regex slightly... something like..
blah_regex(?P<FRED>.{2}) in one app and blah_regex(?P<FRED>.{5}) in another. Same name... so one will override the other but you will see which one "wins" by the value and whether you grab 2 characters or 5.

Also consider in your previous experiment you are asking two different questions.
Precedence has one set of rules and GUI display order another set of rules, and one has nothing to do with the other... and you were always going to see all the field alias because that's how it works.

I think if you are really looking at understanding btool... you could also try inputs.conf

create a monitor of a file, and enable it in one app and disable it in the other. Which one comes first? 🙂

With Splunk... the answer is always "YES!". It just might require more regex than you're prepared for!

leonphelps_s
Path Finder

If what you are saying is true (which I understand why it would) then both aliases should appear via btool.. but do not.

Further, when I run btool it ONLY shows the app with the high asciii order based on path. Try it.. two apps same aliases .. btool grep for the aliases.. only one set will show via btool.

I'm gathering that btool shows whatever it wants.. not necessarily what splunk actually runs with.

I need an apple to apply answer of the scenario I am describing not something different. I am positive I am doing something wrong or just don't understand something but I'm not seeing it.

rsennett_splunk
Splunk Employee
Splunk Employee

you know... I'm actually wondering if something has changed with btool. I tried the experiment i suggested you do and what I found is that while I had four different definitions of a field, in four differently named apps... I only saw one in btool output. For what it's worth it appeared to "take" the first one in the ASCII order. (I could swear btool used to actually put them all out not just the one it used.)

But the outcome is the same. A choice was made and only one is being used to represent the truth...

With Splunk... the answer is always "YES!". It just might require more regex than you're prepared for!
0 Karma

Yepeza
Path Finder

On the searchhead it is reverse ascii order! Try ZZ-ta....

dflodstrom
Builder

Just tested this:

Btool is showing the configurations the way we expect, in ASCII sort order. However, our results in search show that our custom configurations are not being applied. If we change the name of our custom app to what should be a lower precedence then our configurations work.

Non-Working Example:

TA-splunk_app -
props.conf > [sourcetype] REPORT-field-report = field-report
transforms.conf > [field-report]

123-splunk_app -
props.conf > [sourcetype] REPORT-field-report = field-report

^^ props.conf from 123-splunk_app should be applied. Acording to btool they are.

Working Example:

TA-splunk_app -
props.conf > [sourcetype] REPORT-field-report = field-report
transforms.conf > [field-report]

ZZ-TA-splunk_app -
props.conf > [sourcetype] REPORT-field-report = field-report

^^ props.conf from ZZ-TA-splunk_app are being applied in my search results yet btool says otherwise.

0 Karma

leonphelps_s
Path Finder

I tried this with TA-splunk app vs U_TA-splunk app and btool shows the TA-splunk winning out .. and still in the UI the TA-splunk app aliases are shown but not the other app.

leonphelps_s
Path Finder

Somehow ZZ_ does work but U_ which should also work does not

0 Karma

somesoni2
SplunkTrust
SplunkTrust

It's recommended that you have your app name start with alphabets and not the number. If you're looking to get the override settings deployed on top of regular settings, keep the App name with capital A (highest precedence). See this for more information on the precedence.

http://docs.splunk.com/Documentation/Splunk/6.5.2/Admin/Wheretofindtheconfigurationfiles#Summary_of_...

0 Karma

leonphelps_s
Path Finder

Ok.. so now it is 'A_app_a' instead of 25_x_x

~/bin/splunk btool props list --debug |grep severity|grep nitro
/opt/splunk/etc/apps/A_app_a/default/props.conf FIELDALIAS-cim_for_sev = severity AS severity_OVERRIDE

ASCII ordering supports #'s so that should have been fine, but here I tested it with a capital "A' which is higher in order than 'a'. No change. btool still recognizes the correct precedence but splunk seemingly refuses to enforce it at the UI level. This includes a full splunk restart.

One item of note.. in both scenarios.. in the "Fields -> Field Aliases" shows both apps and the conflicting aliases.

somesoni2
SplunkTrust
SplunkTrust

Did you restart your Splunk service after you made the change? The btool is more like what will be effective and works purely on the file system configurations. It may pickup change which might not be in effect (pending Splunk restart).

Also, what is the sharing permissions on both the field aliases, are they both Global? Also, where are you running the search (app context)?

0 Karma

leonphelps_s
Path Finder

Yes, tried debug/refresh/ and a full restart.

both global, an exact copy of the first one

[props]
export = system
access = read : [*], write : [ admin ]

the search is in the "search" app

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...