Security

File Precedence in splunk

santosh11
New Member

Dear All,

When i was going through the document of splunk related to file precedence.

https://docs.splunk.com/Documentation/Splunk/8.0.0/Admin/Wheretofindtheconfigurationfiles

In About configuration file context section

To determine the order of directories for evaluating configuration file precedence, Splunk software considers each file's context. Configuration files operate in either a global context or in the context of the current app and user:

Global. Activities like indexing take place in a global context. They are independent of any app or user. For example, configuration files that determine monitoring or indexing behavior occur outside of the app and user context and are global in nature.
App/user. Some activities, like searching, take place in an app or user context. The app and user context is vital to search-time processing, where certain knowledge objects or actions might be valid only for specific users in specific apps.

What does the above paragraphs means which are commented for Global and App/User.

Can anyone please explain.

Regards,
Santosh

0 Karma
1 Solution

alonsocaio
Contributor
  • Global Context is related to Index Time processes.
  • App/User Context is related to Search Time process.

When data is being consumed by Splunk, there are several other processes that can occur, such as default field extraction, default host assignment, custom index-time field extractions, event timestamping and linebreaking, structured data field extraction... All of it happen at index-time (Global Context)

When you run a search and events are collected by the search there are some process that also run, like search-time field extraction, field aliasing, tagging, event type matching... Those process run ate search-time (App/User Context). Also in app/user context files, you will have some Knowledge Objets, such as reports and dashboards. Remember that app and user context also consider the KO's and app permissions (Private, App or Global).

You can find more information about index and search time at: https://docs.splunk.com/Documentation/Splunk/8.0.0/Indexer/Indextimeversussearchtime
Knowledge Objects permissions: https://docs.splunk.com/Documentation/Splunk/8.0.0/Knowledge/Manageknowledgeobjectpermissions

View solution in original post

alonsocaio
Contributor
  • Global Context is related to Index Time processes.
  • App/User Context is related to Search Time process.

When data is being consumed by Splunk, there are several other processes that can occur, such as default field extraction, default host assignment, custom index-time field extractions, event timestamping and linebreaking, structured data field extraction... All of it happen at index-time (Global Context)

When you run a search and events are collected by the search there are some process that also run, like search-time field extraction, field aliasing, tagging, event type matching... Those process run ate search-time (App/User Context). Also in app/user context files, you will have some Knowledge Objets, such as reports and dashboards. Remember that app and user context also consider the KO's and app permissions (Private, App or Global).

You can find more information about index and search time at: https://docs.splunk.com/Documentation/Splunk/8.0.0/Indexer/Indextimeversussearchtime
Knowledge Objects permissions: https://docs.splunk.com/Documentation/Splunk/8.0.0/Knowledge/Manageknowledgeobjectpermissions

Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...