Looking for guidance on how one app can overwrite configurations in another app.
Have already ready over https://docs.splunk.com/Documentation/Splunk/latest/Admin/Wheretofindtheconfigurationfiles multiple times, along with experimenting with different app naming and btool debug for validation. Myapp\local\ is not an option, as these will also be used for Splunk Cloud, which doesn’t allow \local\ customization.
Lets take a simple example of eventtype overriding, which is clearly a search-time / App/user configuration file and thus uses reverse-lexicographical order.
\apps\Splunk_TA_bluecoat-proxysg\default\eventtypes.conf
[bluecoat_proxy]
search = sourcetype=bluecoat:proxysg:access* NOT bluecoat_header="#"
\apps\z_myapp_Splunk_TA_bluecoat-proxysg\default\eventtypes.conf
[bluecoat_proxy]
search = sourcetype=bluecoat:proxysg:access* OR sourcetype=bcoat_proxysg* NOT bluecoat_header="#"
splunk btool eventtypes list –debug shows Splunk_TA_bluecoat-proxysg wins:
C:\Splunk\etc\apps\Splunk_TA_bluecoat-proxysg\default\eventtypes.conf [bluecoat_proxy]
C:\Splunk\etc\system\default\eventtypes.conf color =
C:\Splunk\etc\system\default\eventtypes.conf description =
C:\Splunk\etc\system\default\eventtypes.conf disabled = 0
C:\Splunk\etc\system\default\eventtypes.conf priority = 1
C:\Splunk\etc\apps\Splunk_TA_bluecoat-proxysg\default\eventtypes.conf search = sourcetype=bluecoat:proxysg:access* NOT bluecoat_header="#"
C:\Splunk\etc\system\default\eventtypes.conf tags =
Renaming z_myapp_Splunk_TA_bluecoat-proxysg to myapp_Splunk_TA_bluecoat-proxysg (so now instead of sorting below Splunk_TA_bluecoat-proxysg, it sorts above), btool debug output remains unchanged. Splunk_TA_bluecoat-proxysg bluecoat_proxy event still “wins”.
default.meta in both addons is the same
[]
access = read : [ * ], write : [ admin,sc_admin]
export = system
I'm trying to avoid having to re-author every single addon we have customization for in the Cloud. The idea is to keep the Splunk/third-party made addon as-is and then apply our customization in a separate addon (as today, we're doing this in \addon\local\ which is not possible for Cloud) -- NOT editing the Splunk/third-party made addon directly.
Is it possible to accomplish this goal?
Is it "a_" instead of "z_"?
https://docs.splunk.com/Documentation/Splunk/7.3.1/Admin/Wheretofindtheconfigurationfiles
The finer points of lexicographical order
In the global context only, lexicographical order determines precedence. Thus, files in an apps directory named "A" have a higher priority than files in an apps directory named "B", and so on. Also, all apps starting with an uppercase letter have precedence over any apps starting with a lowercase letter, due to lexicographical order. ("A" has precedence over "Z", but "Z" has precedence over "a", for example.)
Still appears to sort above the splunk TA, but went ahead and gave it a try. Still not working (this is with 7.2.8 on Windows). btool confirms my addon is being read -- just for other eventtypes not present in the splunk ta.
C:\Splunk\bin>splunk btool eventtypes list --debug
C:\Splunk\etc\apps\a_myapp_Splunk_TA_bluecoat-proxysg\default\eventtypes.conf [bluecoat_authentication]
C:\Splunk\etc\system\default\eventtypes.conf color =
C:\Splunk\etc\system\default\eventtypes.conf description =
C:\Splunk\etc\system\default\eventtypes.conf disabled = 0
C:\Splunk\etc\system\default\eventtypes.conf priority = 1
C:\Splunk\etc\apps\a_myapp_Splunk_TA_bluecoat-proxysg\default\eventtypes.conf search = sourcetype="bluecoat:proxysg:appliance:syslog" vendor_file="authconsole.cpp"
C:\Splunk\etc\system\default\eventtypes.conf tags =
<snip>
C:\Splunk\etc\apps\Splunk_TA_bluecoat-proxysg\default\eventtypes.conf [bluecoat_proxy]
C:\Splunk\etc\system\default\eventtypes.conf color =
C:\Splunk\etc\system\default\eventtypes.conf description =
C:\Splunk\etc\system\default\eventtypes.conf disabled = 0
C:\Splunk\etc\system\default\eventtypes.conf priority = 1
C:\Splunk\etc\apps\Splunk_TA_bluecoat-proxysg\default\eventtypes.conf search = sourcetype=bluecoat:proxysg:access* NOT bluecoat_header="#"
C:\Splunk\etc\system\default\eventtypes.conf tags =
For btool to show search time precedence you have to specify the context (app and user).
splunk btool eventtypes list --debug --app=<app> --user=<user>
for example:
splunk btool eventtypes list --debug --app=search --user=admin