What are the values for host and index for [stanza1] used by Splunk during index time, given the following configuration files?
What are the values for host and index for [stanza1] used by Splunk during index time, given the following configuration files?
During index time in Splunk, the precedence order of configuration files is important. The system local directory (SPLUNK_HOME/etc/system/local) has the highest precedence, followed by app local directories (SPLUNK_HOME/etc/apps/appname/local) in lexicographical order. Here, the configuration files specify the following for [stanza1]: host=server1 in the system local directory, and in the app local directories, the first entry indicates host=searchsvr1 and index=searchinfo, while the second entry indicates host=unixsvr1 and index=unixinfo. Since the system local directory has the highest precedence, host=server1 will be used. For the index, since app local directories under the same app are considered in the provided order and the second entry is the latest discovered, index=unixinfo will be used. Therefore, the values for host and index for [stanza1] used by Splunk during index time are host=server1 and index=unixinfo.
The answer is B Index Time Precedence Order: 1 - System Local directory [etc/system/local] 2 - App Local directories [etc/apps/appname/local] (lexicographical order A..Z) 3 - App default directories [etc/apps/appname/default] (lexicographical order A..Z) 4 - System default directory [etc/system/default]
Confirmed per Splunk documentation https://docs.splunk.com/Documentation/Splunk/8.2.2/Admin/Wheretofindtheconfigurationfiles "When consuming a global configuration, such as inputs.conf, Splunk software first uses the attributes from any copy of the file in system/local. Then it looks for any copies of the file located in the app directories, adding any attributes found in them, but ignoring attributes already discovered in system/local."
Just did the Admin test today (passed), and got this question. In the actual question is not the same provided here - as mentioned below, the two local paths have different app names 'search' and 'unix', and not both as 'search'. In that case 'search' will take precedence over 'unix' - and so B is correct.
Yes, you are right. There is a typo in the queston the last input .conf is as below. SPLUNK_HOME/etc/app/unix/local/inputs.conf ( not search ) Option B
I took the test recently and the question here is wrong. With the question as stated here, the answer is A because it takes host from system/local and it takes the last valid stanza from apps/search/local. However in the actual question one of the stanzas comes from apps/unix/local instead of apps/search/local. In that case, it still takes host from system/local, but it takes index from apps/search/local because s comes before u.
I believe answer is A. - etc/system/local/ has better precedence at index time - for identical settings in the same file, the last one overwrite others, see : https://community.splunk.com/t5/Getting-Data-In/What-is-the-precedence-for-identical-stanzas-within-a-single/m-p/283566
I guess the questions is no correct...this way it just cannot be answered correctly because you cannot say which of the stanza1 entries is first in the /apps/search/local/inputs.conf...I would think that the second entry (with "host=unixsvr1" and index="unixinfo" should be located in /etc/apps/unix/local/inputs.conf..this would be inline with other examples used in the Administration courses (see System Administration Slide 82). Therefore answer B would be correct as the 'search' app comes before the 'unix' app in lexicographical order. B is correct. Question has a typo.
I think the answe is A.
Answer is A. during index time, higher prevalence is for /etc/system/local/ with: host=server1 this combined with second prevalence wich is /etc/apps/search/local/ witch index=unixinfo.
why not A?
There is a typo in the queston the last input .conf is as below. SPLUNK_HOME/etc/app/unix/local/inputs.conf ( not search ) Option B
Should be 'A'. Assuming the two 'apps' inputs are in the order provided, then the last stanza will override the first, meaning the index will be set to 'unixinfo'. The host will be set by the system/local file, which takes precedence over app/local.
Wrong - see my later comment. The actual question has different app names for the local paths, meaning the answer will be B, not A.
data admin pdf pg 257. Precedence at index-time. 1 - etc/system/local . I think the ans is A, which it had the index name though
There is a typo in the queston the last input .conf is as below. SPLUNK_HOME/etc/app/unix/local/inputs.conf ( not search ) Option B
Answer is B for index-time precedence order (see other comments) and, with replicated stanza in the same .conf file, the last one overrides the previous one. Verify the configuration with btool and you get the last listed entry rule
Sorry, my explanation was about A that is correct, i was remembering B... ahah