All Apps and Add-ons

Splunk conf file precedence: Can I have multiple props.conf files for the same source::udp:514?

gdavid
Path Finder

I have syslog coming into 2 forwarders.
I have the cisco app tagging the data for the Cisco Security Suite App.
I wanted to add a few lines to change the index to a new index instead of the default syslog one.

Cisco App has this:

## sourcetype identification
####

[source::udp:514]
TRANSFORMS-force_sourcetype_for_cisco = force_sourcetype_for_cisco_asa,force_sourcetype_for_cisco_pi
x,force_sourcetype_for_cisco_fwsm

I want to create a new app and call it index-cleanup with a props file like:

[source::udp:514]
TRANSFORMS-SendtoCiscoIndex

Can I have multiple props files tweaking the source::udp:514 ?

who wins if there is a conflict that may be set in a future Cisco App update (ex: cisco app decides it wants to index to notWhereIwantItIndex)

thanks
GD

0 Karma

sjalexander
Path Finder

the right way to override app defaults is with a local config within that app.

You can do what you're trying to do in 2 ways:
- override the setting in the Cisco app with a local config setting
- disable the setting in the Cisco app with a local config setting, then re-implement your way in another app

to override the setting in the application, make a directory "local" inside the app directory, create an inputs.conf there, add the stanza you'd like to modify or disable, and put the setting there.

In your case, this would be in <Cisco app dir>/local/inputs.conf and the entry would be

[source::udp:514]
TRANSFORMS-SendtoCiscoIndex

to modify per your spec, or

[source::udp:514]
disabled = 1

to disable - then make your app with the above setting in its own inputs.conf.

hardik_splunk
Splunk Employee
Splunk Employee

You can override required configurations in local folder and Splunk will use configurations from both local as well as a default folder. Please note configurations in local gets higher precedence over the same configurations in default folder.

i.e Following setting in CiscoApp/default
[source::udp:514]
TRANSFORMS-force_sourcetype_for_cisco = force_sourcetype_for_cisco_asa,force_sourcetype_for_cisco_pi
x,force_sourcetype_for_cisco_fwsm

CiscoApp/local
[source::udp:514]
TRANSFORMS-SendtoCiscoIndex

0 Karma

gdavid
Path Finder

what about a merge? i want to keep what the default app is doing for source type etc. i just want to modify the destination for metadata tag for index.
if i create a /local/inputs.conf and put in
[source::udp:514]
TRANSFORMS-SendtoCiscoIndex

does it merge with the other or override completely the default/inputs.conf?

0 Karma

hardik_splunk
Splunk Employee
Splunk Employee

The better option is to put the changes into Cisco Security App /local folder. Copy inputs.conf file into this folder and update the index as per your requirement. The local folder will not be updated with future upgrades.

0 Karma

sundareshr
Legend
0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...