Exam SPLK-1003 topic 1 question 24 discussion

Very tricky!!! Answer is NOT D as etc/users/admin/local is not a valid directory . it is missing the <user app>.... to be correct it would look like this... etc/users/admin/<app name>/local .. so answer is C. Also reference Data Admin class PDF page 20 search time precedence diagram..

The question is about "search time" no "index time" (Global context) so the App/User context has the highest precedence, the answer is D https://docs.splunk.com/Documentation/Splunk/7.3.0/Admin/Wheretofindtheconfigurationfiles

D, check page 121 os the System Admin official Splunk course. Search-Time Precedence (App/User Context) Precedence order where 1 is highest priority: 1. Current user directory for app etc/users/user/appname/local 2. App directory - running app etc/apps/appname/local etc/apps/appname/default 3. App directories - all other apps* etc/apps/appname/local etc/apps/appname/default 4. System directories etc/system/local etc/system/defaultPrecedence order

tricky question, however, if you follow the documentation this is the precedence for search time: Precedence order 1. Current user directory for app etc/users/user/appname/local 2. App directory - running app etc/apps/appname/local etc/apps/appname/default 3. App directories - all other apps* etc/apps/appname/local etc/apps/appname/default 4. System directories etc/system/local etc/system/default

Search-Time Precedence (App/User Context) Current user directory for app etc/users/user/appname/local 2. App directory - running app etc/apps/appname/local etc/apps/appname/default 3. App directories - all other apps* etc/apps/appname/local etc/apps/appname/default 4. System directories etc/system/local

It’s ‘D’. During search time, the directory of configuration files with the highest precedence is: **D. $SPLUNK_HOME/etc/users/admin/local** The order of precedence for configuration files in Splunk, from highest to lowest, is as follows: 1. **$SPLUNK_HOME/etc/users/<username>/<appname>/local** 2. **$SPLUNK_HOME/etc/users/<username>/<appname>/default** 3. **$SPLUNK_HOME/etc/apps/<appname>/local** 4. **$SPLUNK_HOME/etc/apps/<appname>/default** 5. **$SPLUNK_HOME/etc/system/local** 6. **$SPLUNK_HOME/etc/system/default** This hierarchy ensures that user-specific settings (which are stored in the `$SPLUNK_HOME/etc/users` directory) take precedence over app-specific settings and system-wide settings.

1. Current user directory for app etc/users/user/appname/local 2. App directory -running app etc/apps/appname/local etc/apps/appname/default 3. App directories -all other apps* etc/apps/appname/local etc/apps/appname/default 4. System directories etc/system/localetc/system/default PDF Page 341 Since the path of D is wrong, I would go with C as the next in line to take precedence and its the highest for this question

D is very tricky! It would have been the correct answer if it was D. $SPLUNK_HOME/etc/users/admin/app_name/local Since there is no app in the path it doesn't exist.

The question is about search-time precedence, answer D is correct.

Answer D is correct.

If D have a correct dir (/etc/users/app_abcde/local) will be correct, but in this case is C

Answer C

INDEX time: sys local, app local, app default, sys default SEARCH time: user app (user directory), running app (local and defautl), other apps (local and default), sys directories (local and default). so D!

Answer: C

global/index context 1.etc/system/local 2.etc/apps/app_name/local 3.etc/apps/app_name/default 4.etc/system/default User/app/search context 1.etc/users/system/local fallow by default 2.etc/apps/currently_running_app/local fallow by default 3.etc/apps/all_other_apps/local fallow by default 4.etc/system/local fallow by default

A is correct, page 86-89 in System admin PDF

C is correct D is incorrect - path is missing app name (assuming local is not an app name)