Simple scenario
app_a/default/props.conf
25_app_a/default/props.conf
The 25_app_a is an exact copy aside from the change noted below.
both contain field aliases for the same sourcetype. the fields/classes are the same aside from a simple "as" clause. app_a says severity as severity_id and 25_app_a you can see below. Due to ASCII ordering of apps 25_ should override, and from a btool perspective it does.
However in the UI the base app is still winning.
~/bin/splunk btool props list --debug |grep severity
/opt/splunk/etc/apps/25_app_a/default/props.conf FIELDALIAS-cim_for_sev = severity AS severity_OVERRIDE
Please don' t offer solutions such as "use app_a and /local/" there is a reason I'm doing it this way and I want emphasis to be on understanding precedence and btool.
↧