1 00:00:00,210 --> 00:00:02,790 The easiest way probably is to check. 2 00:00:06,680 --> 00:00:10,340 Is by searching for our internal logs. 3 00:00:11,970 --> 00:00:14,490 Index is equal to internal. 4 00:00:15,660 --> 00:00:18,480 Let us run for last 15 minutes. 5 00:00:18,480 --> 00:00:19,470 Should be fine. 6 00:00:23,190 --> 00:00:28,680 As you can see in last 15 minutes, there are two hostnames. 7 00:00:28,710 --> 00:00:32,490 This was before we were testing hierarchical. 8 00:00:32,520 --> 00:00:33,570 If we keep it. 9 00:00:34,550 --> 00:00:35,160 Four. 10 00:00:35,270 --> 00:00:37,760 Just like last five minute. 11 00:00:39,510 --> 00:00:45,180 We'll be able to see our configuration from host system. 12 00:00:46,080 --> 00:00:50,310 Local has been picked up as per our configuration. 13 00:00:50,310 --> 00:00:51,810 This is right. 14 00:00:51,810 --> 00:00:57,240 So this overrides any configuration that has been defined in this location. 15 00:00:57,390 --> 00:01:05,220 We didn't change any default location because it is highly recommended to edit any configuration under 16 00:01:05,220 --> 00:01:06,060 system default. 17 00:01:06,090 --> 00:01:11,010 We have edited the three configuration out of these total. 18 00:01:11,370 --> 00:01:15,180 The system local got the highest preference. 19 00:01:15,180 --> 00:01:19,560 The configuration as you can see as reflected in our hostname. 20 00:01:21,100 --> 00:01:23,500 Now what happens if. 21 00:01:25,620 --> 00:01:27,750 I eliminate my first one. 22 00:01:27,990 --> 00:01:31,260 But understanding it should be clear that the. 23 00:01:32,190 --> 00:01:35,430 Hostname should be picked up from system local. 24 00:01:36,920 --> 00:01:42,260 Let us remove our configuration from system local. 25 00:01:44,640 --> 00:01:46,770 ATC system. 26 00:01:47,920 --> 00:01:48,700 Local. 27 00:01:49,570 --> 00:01:52,450 This is where we defined our configuration. 28 00:01:55,260 --> 00:02:00,990 Let us remove this or you can command it out or you can completely remove it. 29 00:02:03,410 --> 00:02:06,350 I'll go ahead and restart my Splunk instance. 30 00:02:17,220 --> 00:02:20,940 What do we expect to have on a host field now? 31 00:02:20,970 --> 00:02:30,270 It should be hosted under up local so that our second preference should be picked up from application 32 00:02:30,270 --> 00:02:31,590 local directory. 33 00:02:36,510 --> 00:02:38,660 RS Blanca successfully started. 34 00:02:41,410 --> 00:02:42,490 Let me log in. 35 00:02:56,850 --> 00:02:59,580 Let me read in the search for last 5 minutes. 36 00:03:05,750 --> 00:03:07,340 As we can see now. 37 00:03:08,290 --> 00:03:14,830 There is a new host entry that is hosted under app local sense in the last five minute. 38 00:03:15,220 --> 00:03:25,090 This was the default system default before editing any configuration and this was after editing or specifying. 39 00:03:25,880 --> 00:03:32,960 The same configuration under four different hierarchy the system local clearly one and we saw the first 40 00:03:32,960 --> 00:03:39,950 one system local reflector when we see the second one when we remove the configuration from here, even 41 00:03:39,950 --> 00:03:44,840 though the default is there, it will be overwritten by our app local. 42 00:03:45,230 --> 00:03:51,050 It picked up our second hierarchy as a as per our understanding. 43 00:03:51,050 --> 00:03:56,450 No, let us go ahead and remove our app local also. 44 00:03:56,480 --> 00:04:01,940 So for that we'll be going under ATC apps. 45 00:04:02,870 --> 00:04:06,140 This is the app name where we edited the configuration. 46 00:04:07,440 --> 00:04:10,560 We will remove the local configuration now. 47 00:04:10,860 --> 00:04:15,240 The final fight is between to pick up the configuration. 48 00:04:16,430 --> 00:04:20,240 The final fight will be from app default and system default. 49 00:04:22,560 --> 00:04:25,680 Let us restart our Splunk instant. 50 00:04:42,510 --> 00:04:50,040 Once we have restarted our Splunk instance, we should be able to see our latest host entry that will 51 00:04:50,040 --> 00:04:53,400 be hosted under app default.