How Configs are Applied
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
Already have an account? Sign In »
6 hours 3 minutes
Hello and welcome back to the Splunk Enterprise Certified Administrator Course on Cyber. This issue any lesson? 4.2 how configurations are ified.
The learning objectives for this lesson are gonna be to talk about configuration file layering and how it works. Talk about configuration file precedents. How that might impact our your configurations that you have on disk and then also go over lexical graphical order. And at what point with Splunk that will come into play.
So why are we learning this? It's important to understand where and when these configurations are gonna be made to make sure that you're placing them in the correct location, and also that the settings that you want to prevail will prevail based on where you place them. So this is a pivotal part in understanding
spawn configurations and also a common area where I see mistakes being made so
or confusion around why my configuration isn't taking place. If you understand these concepts thoroughly, then you'll really know where to place your configurations or how to check and validate why they're not taking place. So first we'll talk about configuration layering. So what? This is This is basically how Splunk
compiles all of the different settings that are in configuration files on disk into memory.
So the way it works is it finds all copies of a given file, and then it merges them together into a single file. If there's conflicting attributes across multiple files, then there is a precedence order that Splunk uses to determine which setting should prevail over the other ones.
And the priority is based on
the directory location of the file, and we'll talk about that a little bit later on. But first we're gonna keep kind of diving into this configuration layering and show you a demonstration of how this would work.
So say you have three crops dot com files as shown on screen here, ones located, etc. System, local one, etc. APs in your app. One default directory and then the other in your app to local directory. As you can see, the stanza, which is the part that dictates what
the settings are being applied to,
are the same. So this is all settings from prop sykov to configure a source type called my source type,
and you could see they have all of these files have different configurations and So when Splunk starts and it compiles all the files and creates the configuration in memory, what it's gonna end up looking like is actually this It's gonna
combined the settings from each of those individual files to complete
a comprehensive configuration
bundle for that specific source type. And so this is what it would look like in memory and those with settings that would be applied to the data that has the source type my source type.
So now that we've seen how multiple files that don't have conflicting attributes would be aggregated together through configuration file layering, we have to also talk about configuration file precedents because this is gonna come into place when there are conflicting values.
So basically, the way that *** does this
is imagine. It takes all of the configurations located in default system first, and it loads those right and then imagine that it goes into the app directories and all of their default files. And then it writes those on top of the default system ones and anywhere that there's a collision.
The values overridden. So now say there was a setting in default system, and then the same setting was made in default app
default app will now overwrite that system setting that it collides with but keep the rest and then add any other additional non conflicting ones. And then it moves to the local APP directories. Those settings will get superimposed and either overwrite ones where there's collisions
or just continue adding to the total span of what configurations there are. And then finally, anything that is in the locals, etc. System Local Directory of Splunk
will take highest priority. So if there are conflicting settings on and
one of the settings resides in, etc. System local, that will always be the prevailing setting. So let's take a look at this in practice. So as you can see here we have again to props configurations where we're dealing with the my source type source tape again
and the one on the left is located in my APP default. The one on the right is located in etc. System local.
So all these settings match except as you can see this highlighted truncate value.
So because these air going to collide, one of these settings is gonna be over it and and the other will prevail. And based on the president's war that we talked about before. We know that this truncate equals 5000 coming from the etc system. Local directory will be higher precedence and will take effect so
that truncate Eagles 5000 will actually override Truncate equals 7500.
So that's how that actually works
Now. We'll talk quickly about lexical graphical order,
so if you don't know what lexical graphical order is, basically it's kind of similar to alphabetical order. But it's a little bit more complex, so you know, in normal alphabetical order, lower case A B C D A. Takes precedence over BC takes precedence over
D or C. But in lexical graphical order, numbers come first. So zero through nine, its highest priority, then capital letters in alphabetical order are high priority and then lower case a dizzy are the lowest priority.
So where this comes into play is when there are apse with conflicting settings. The way Splunk decides which one will take precedence is whichever one has the higher lexical graphical order precedence. So, for example, an app that is named,
uh, Anthony app
all lower case
would not be or would take precedence over a app called Brandon app because a the first letter in the first app
is takes precedence over B the first letter in the second half. But if it was Anthony AB all lower case and then capital be Brandon Ab
Brandon, App would then take precedence because of lexical graphical order. This doesn't come into play a whole lot, and you won't really need toe. Use it very often, but there will be an occasion where maybe if to
Teoh two conflicting settings and you need to override it. And so you basically just manipulate the name of your app to make sure that it's got a higher lexical graphical order precedence.
And then there's one other
precedence issue that we need to talk about. And this is basically when you have a single props dot com pile with duplicate attributes. So
in those instances, basically, Prince precedence is determined by the name of the stanza in asking order, and then,
ah, way you can manipulate that as well is by setting thebe priority attributes toe override that so you can manually set the priority. So, for example, if I had to settings, that would normally
conflict and I wanted the one that
technically came second in asking order. I could set the priority value on both of those, said it to the 1st 1 to 5 and that the 2nd 1 to like seven and then even though, uh, it does not win asking order. Since the priority attributes is set, it would win.
Then. There's also
multiple ways you can make your stanzas in props dot com. You can specify just a value, which by default will be registered as a source type. Or you can do source colon, colon and a source name or host colon, colon and a host name. So if there are multiple settings and they conflict,
basically, a source setting will take precedence over a host setting, and a host setting will take over a source typesetting. So those are just some important things to know. In case you have to troubleshoot why you're setting isn't taking place or if you want to strategically make a stands us so that it takes precedence
over another one, then these are important
most of these. I tend to back reference. I don't always I want to know. Expect everyone to keep this committed to memory. This one might be something you have toe, come back and check on.
So in summary during this video, we covered how configuration file layering works in Splunk so that you can have one set of configurations loaded into memory from several different
configuration files of the same name. Then we also talked about President's order and how that is based on the directory and etc system local being the highest precedence than AP local than AP default and then at sea system default.
Then we also talked about presidents between multiple APs and how if you have conflicting settings in Tuapse, whichever APP has the higher lexical graphical order will have the settings that prevail. Then we also talked about presidents within one props dot com How different stands a names have a precedence order and also
stanzas within the same file follow asking order, or we'll use the priority attributes within the stanza itself to decide precedence that wraps everything up. We need to talk about for how configurations are applied. So in the next lesson will talk about when
during which phase settings are applied. So I'll see you in the next video