How Configs are Applied

00:00

Hello and welcome back to the Splunk Enterprise Certified Administrator Course on Cyber. This issue any lesson? 4.2 how configurations are ified.

00:09

The learning objectives for this lesson are gonna be to talk about configuration file layering and how it works. Talk about configuration file precedents. How that might impact our your configurations that you have on disk and then also go over lexical graphical order. And at what point with Splunk that will come into play.

00:29

So why are we learning this? It's important to understand where and when these configurations are gonna be made to make sure that you're placing them in the correct location, and also that the settings that you want to prevail will prevail based on where you place them. So this is a pivotal part in understanding

00:48

spawn configurations and also a common area where I see mistakes being made so

00:55

or confusion around why my configuration isn't taking place. If you understand these concepts thoroughly, then you'll really know where to place your configurations or how to check and validate why they're not taking place. So first we'll talk about configuration layering. So what? This is This is basically how Splunk

01:14

compiles all of the different settings that are in configuration files on disk into memory.

01:21

So the way it works is it finds all copies of a given file, and then it merges them together into a single file. If there's conflicting attributes across multiple files, then there is a precedence order that Splunk uses to determine which setting should prevail over the other ones.

01:40

And the priority is based on

01:42

the directory location of the file, and we'll talk about that a little bit later on. But first we're gonna keep kind of diving into this configuration layering and show you a demonstration of how this would work.

01:56

So say you have three crops dot com files as shown on screen here, ones located, etc. System, local one, etc. APs in your app. One default directory and then the other in your app to local directory. As you can see, the stanza, which is the part that dictates what

02:15

the settings are being applied to,

02:19

are the same. So this is all settings from prop sykov to configure a source type called my source type,

02:25

and you could see they have all of these files have different configurations and So when Splunk starts and it compiles all the files and creates the configuration in memory, what it's gonna end up looking like is actually this It's gonna

02:43

combined the settings from each of those individual files to complete

02:47

a comprehensive configuration

02:52

bundle for that specific source type. And so this is what it would look like in memory and those with settings that would be applied to the data that has the source type my source type.

03:04

So now that we've seen how multiple files that don't have conflicting attributes would be aggregated together through configuration file layering, we have to also talk about configuration file precedents because this is gonna come into place when there are conflicting values.

03:22

So basically, the way that *** does this

03:24

is imagine. It takes all of the configurations located in default system first, and it loads those right and then imagine that it goes into the app directories and all of their default files. And then it writes those on top of the default system ones and anywhere that there's a collision.

03:44

The values overridden. So now say there was a setting in default system, and then the same setting was made in default app

03:52

default app will now overwrite that system setting that it collides with but keep the rest and then add any other additional non conflicting ones. And then it moves to the local APP directories. Those settings will get superimposed and either overwrite ones where there's collisions

04:09

or just continue adding to the total span of what configurations there are. And then finally, anything that is in the locals, etc. System Local Directory of Splunk

04:20

will take highest priority. So if there are conflicting settings on and

04:27

one of the settings resides in, etc. System local, that will always be the prevailing setting. So let's take a look at this in practice. So as you can see here we have again to props configurations where we're dealing with the my source type source tape again

04:43

and the one on the left is located in my APP default. The one on the right is located in etc. System local.

04:50

So all these settings match except as you can see this highlighted truncate value.

04:57

So because these air going to collide, one of these settings is gonna be over it and and the other will prevail. And based on the president's war that we talked about before. We know that this truncate equals 5000 coming from the etc system. Local directory will be higher precedence and will take effect so

05:16

that truncate Eagles 5000 will actually override Truncate equals 7500.

05:21

So that's how that actually works

05:25

Now. We'll talk quickly about lexical graphical order,

05:29

so if you don't know what lexical graphical order is, basically it's kind of similar to alphabetical order. But it's a little bit more complex, so you know, in normal alphabetical order, lower case A B C D A. Takes precedence over BC takes precedence over

05:46

D or C. But in lexical graphical order, numbers come first. So zero through nine, its highest priority, then capital letters in alphabetical order are high priority and then lower case a dizzy are the lowest priority.

06:03

So where this comes into play is when there are apse with conflicting settings. The way Splunk decides which one will take precedence is whichever one has the higher lexical graphical order precedence. So, for example, an app that is named,

06:24

uh, Anthony app

06:27

all lower case

06:28

would not be or would take precedence over a app called Brandon app because a the first letter in the first app

06:38

is takes precedence over B the first letter in the second half. But if it was Anthony AB all lower case and then capital be Brandon Ab

06:48

Brandon, App would then take precedence because of lexical graphical order. This doesn't come into play a whole lot, and you won't really need toe. Use it very often, but there will be an occasion where maybe if to

07:04

Teoh two conflicting settings and you need to override it. And so you basically just manipulate the name of your app to make sure that it's got a higher lexical graphical order precedence.

07:19

And then there's one other

07:23

precedence issue that we need to talk about. And this is basically when you have a single props dot com pile with duplicate attributes. So

07:34

in those instances, basically, Prince precedence is determined by the name of the stanza in asking order, and then,

07:44

ah, way you can manipulate that as well is by setting thebe priority attributes toe override that so you can manually set the priority. So, for example, if I had to settings, that would normally

07:59

conflict and I wanted the one that

08:03

technically came second in asking order. I could set the priority value on both of those, said it to the 1st 1 to 5 and that the 2nd 1 to like seven and then even though, uh, it does not win asking order. Since the priority attributes is set, it would win.

08:20

Then. There's also

08:22

multiple ways you can make your stanzas in props dot com. You can specify just a value, which by default will be registered as a source type. Or you can do source colon, colon and a source name or host colon, colon and a host name. So if there are multiple settings and they conflict,

08:41

basically, a source setting will take precedence over a host setting, and a host setting will take over a source typesetting. So those are just some important things to know. In case you have to troubleshoot why you're setting isn't taking place or if you want to strategically make a stands us so that it takes precedence

09:01

over another one, then these are important

09:03

most of these. I tend to back reference. I don't always I want to know. Expect everyone to keep this committed to memory. This one might be something you have toe, come back and check on.

09:16

So in summary during this video, we covered how configuration file layering works in Splunk so that you can have one set of configurations loaded into memory from several different

09:28

configuration files of the same name. Then we also talked about President's order and how that is based on the directory and etc system local being the highest precedence than AP local than AP default and then at sea system default.

09:43

Then we also talked about presidents between multiple APs and how if you have conflicting settings in Tuapse, whichever APP has the higher lexical graphical order will have the settings that prevail. Then we also talked about presidents within one props dot com How different stands a names have a precedence order and also

10:03

how

10:05

stanzas within the same file follow asking order, or we'll use the priority attributes within the stanza itself to decide precedence that wraps everything up. We need to talk about for how configurations are applied. So in the next lesson will talk about when