1
00:00:01,280 --> 00:00:03,950
Now Splunk has restarted.

2
00:00:07,440 --> 00:00:08,460
Let us log in.

3
00:00:19,330 --> 00:00:23,770
I'll search for last one minute so that we'll get the just the latest events.

4
00:00:26,250 --> 00:00:32,550
As you can see now we have a new entry host under app default.

5
00:00:34,900 --> 00:00:44,320
It's better our understanding we are clear that when the same configuration is defined in all four location,

6
00:00:44,470 --> 00:00:52,570
whatever is defined in system local will come up as a winner and Splunk while starting up picks up any

7
00:00:52,570 --> 00:00:56,380
configuration here as its the final configuration.

8
00:00:56,380 --> 00:01:02,110
If it couldn't find the configuration here it takes for these three directories.

9
00:01:02,140 --> 00:01:09,580
If these three directories up local will be the winner and it will have the final configuration while

10
00:01:09,580 --> 00:01:10,690
starting this plan.

11
00:01:11,320 --> 00:01:14,740
Similarly, the app default and system default.

12
00:01:14,770 --> 00:01:22,690
When it tests conflicting or the same configuration, the app default will have the highest priority

13
00:01:22,690 --> 00:01:25,330
for any configuration between these two.

14
00:01:25,330 --> 00:01:31,690
If Splunk was starting up, it couldn't find any configuration or customization that are defined in

15
00:01:31,690 --> 00:01:32,410
these three.

16
00:01:32,620 --> 00:01:35,500
It will look for our system default.

17
00:01:36,340 --> 00:01:44,740
Let us go back and remove our default configuration from the app default directory.

18
00:01:52,740 --> 00:01:54,210
I'll comment out these.

19
00:01:56,000 --> 00:01:57,860
Restart my Splunk instance.

20
00:01:58,490 --> 00:02:01,350
So now we should be back to normal.

21
00:02:01,370 --> 00:02:05,960
We have not customised any configuration whatsoever.

22
00:02:05,990 --> 00:02:11,630
It should be picking up directly from the system default location.

23
00:02:18,430 --> 00:02:19,660
Splunk has started.

24
00:02:36,750 --> 00:02:38,160
Let me run the search.

25
00:02:39,750 --> 00:02:41,040
As we read in the search.

26
00:02:41,040 --> 00:02:47,160
If you check for the latest event, it will be our default host name.

27
00:02:48,890 --> 00:02:50,090
System default.

28
00:02:51,290 --> 00:03:01,400
If you want to know where the system default to hostname it is picking up is it is the system default.

29
00:03:05,070 --> 00:03:06,090
Inputs.

30
00:03:06,450 --> 00:03:09,330
It is mentioned as desired on startup.

31
00:03:09,330 --> 00:03:16,580
So if you have capital hostname command defined on your OS, it can pick up from the OS.

32
00:03:16,590 --> 00:03:19,380
So what this decide on startup does is.

33
00:03:20,780 --> 00:03:27,110
Well, starting up the Splunk, it will check for the host team of your machine where Splunk is installed,

34
00:03:27,110 --> 00:03:29,000
and it will take that host name.

35
00:03:29,870 --> 00:03:32,510
And it is it will assign it to your.

36
00:03:33,520 --> 00:03:37,420
Logs that are generated out of those machines.

37
00:03:38,220 --> 00:03:39,720
To be very clear.

38
00:03:40,610 --> 00:03:47,210
When you are troubleshooting some configuration or you are editing some configuration in app default

39
00:03:47,210 --> 00:03:54,080
or app locale, you see that it is not reflecting upon syntax being right and everything, but there

40
00:03:54,080 --> 00:03:59,990
might be a configuration in system local which might be overwriting whatever you define under these

41
00:03:59,990 --> 00:04:01,040
three location.

42
00:04:01,370 --> 00:04:08,150
And also always keep in mind, never ever try to edit these default location folder.

43
00:04:08,450 --> 00:04:14,150
Let me show you by default even though you are system.

44
00:04:15,610 --> 00:04:18,700
Account is used to run Splunk.

45
00:04:19,870 --> 00:04:21,670
Privilege or normal.

46
00:04:23,050 --> 00:04:27,530
These files in system default will allow only read permission.

47
00:04:27,550 --> 00:04:32,470
As you can see, this is the system default and all as read permission.

48
00:04:32,470 --> 00:04:40,090
Splunk highly recommends not to edit these files so that if you mess up any configuration, your Splunk

49
00:04:40,090 --> 00:04:41,140
might never start.

50
00:04:41,170 --> 00:04:44,590
Make sure you never touch these files if you want to edit them.

51
00:04:44,590 --> 00:04:49,060
Copy these files into any of these three locations and modify them.