3. File precedence

File precedence is an important aspect of troubleshooting in Splunk for an administrator, developer, as well as an architect. All of Splunk’s configurations are written within plain text .conf files. There can be multiple copies present for each of these files, and thus it is important to know the role these files play when a Splunk instance is running or restarted.

To determine the priority among copies of a configuration file, Splunk software first determines the directory scheme. The directory schemes are either a) Global or b) App/user.

When the context is global (that is, where there’s no app/user context), directory priority descends in this order:

System local directory — highest priority
App local directories
App default directories
System default directory — lowest priority

When the context is app/user, directory priority descends from user to app to system:

User directories for current user — highest priority
App directories for currently running app (local, followed by default)
App directories for all other apps (local, followed by default) — for exported settings only
System directories (local, followed by default) — lowest priority