Databases Reference
In-Depth Information
BREAK_ONLY_BEFORE_DATE = false
[security_log]
EXTRACT-<name> = \[(?P<user>.*?)\]
BREAK_ONLY_BEFORE_DATE = false
The setting with the biggest impact here is the bare attribute
BREAK_ONLY_BEFORE_
DATE = false
. It is first added to the
[default]
stanza and then is added to
all
stanzas that do not already have any value.
As a general rule, avoid using the
[default]
stanza or bare word
attributes. The final impact may not be what you expect.
Configuration merging example 4 (search)
In this case, we
are
in search, so we will use the more complicated merging order.
Assuming that we are currently working in the app
d
, let's merge the same
configurations again. For simplicity, we are assuming that all attributes are shared
globally. We will merge the same configurations listed previously in example 3.
With
d
as our current app , we will now merge in this order:
$SPLUNK_HOME/etc/system/local/props.conf
$SPLUNK_HOME/etc/apps/b/default/props.conf
$SPLUNK_HOME/etc/apps/d/default/props.conf
$SPLUNK_HOME/etc/apps/d/local/props.conf
Stepping through each merge, the configuration will look like this:
1.
We start with
$SPLUNK_HOME/etc/system/local/props.conf
:
BREAK_ONLY_BEFORE_DATE = false
[web_access]
TZ = CST
2.
Now, we merge the default for apps other than our current app (which, in
this case, is only one configuration)
$SPLUNK_HOME/etc/apps/b/default/
props.conf
:
BREAK_ONLY_BEFORE_DATE = false
[web_access]
MAX_TIMESTAMP_LOOKAHEAD = 20
TIME_FORMAT = %Y-%m-%d $H:%M:%S
TZ = CST
Search WWH ::
Custom Search