I know there is some general documentation out there on config precedence, but I'd like to know the range of configuration settings you can specify in an app's "default" directory, and what effect this has on system configuration.

For instance, if you create an authorize.conf, limits.conf, and transforms.conf within an app's "default" directory, and then specify all of these stanzas as "export = system" in default.meta, what actually happens to the existing system config when you install this app on a server?

Here's why I ask: I would like to override a few properties in authorize.conf and limits.conf ONLY when one specific lookup occurs. I bundled the lookup file and transforms entry in a really bare-bones app, also containing the authorize.conf and limits.conf changes. The intent is to allow a few special configuration settings this lookup needs in a way that is minimally intrusive on the existing system's configuration.

So, a few questions:

1. If the properties in my app's authorize.conf have also been manually specified in /etc/system/local/authorize.conf, which file wins when my app's lookup appears in a search query?
2. If my app's authorize.conf does take precedence, does it only take precedence when the lookup from that app is used in a query? (i.e., if that app's lookup is absent from a search query, which authorize.conf takes precedence now? Hopefully it is the /etc/system/local/ one)
3. An extension of number 2. Same scenario, and if all of that holds, then what if there is no /etc/system/local/authorize.conf? Does Splunk know to fall back on /etc/system/default/authorize.conf? Or will my app's authorize.conf suddenly come back into play even though its lookup is not involved in the query?