A developer, administrator, and architect all have to consider file precedence when troubleshooting Splunk. All Splunk configurations are SAVED in plain text .conf files. Almost every aspect of Splunk's behaviour is determined by CONFIGURATION files. There can be multiple copies of the same configuration file in a Splunk platform deployment. In most cases, these file copies are layered in directories that might affect users, applications, or the overall system. If you WANT to modify configuration files, you must know how the Splunk software evaluates those files and which ones have precedence when the Splunk software runs or is restarted.

Splunk software considers the context of each configuration file when determining the order of directories to prioritize configuration files. Configuration files can either be operated in a global context or in the context of the current application/user. 

DIRECTORY PRIORITY descends as follows when the file context is global:   

• System local directory -- highest priority  ->
• Application local directories  ->
• Application default directories  ->
• System default directory -- lowest priority

Directory priority descends from user to application to system when file context is current application/user:

• User directories for the current user -- highest priority   ->
• Application directories for the currently running application (local, followed by default)  ->
• Application directories for all the other applications (local, followed by default) -- for exported settings only ->
• System directories (local, followed by default) -- lowest priority