Dashboards & Visualizations

Is is possible for addon configuration to overwrite another addon with defaults?

ChrisBell04
Communicator

Looking for guidance on how one app can overwrite configurations in another app.

Have already ready over https://docs.splunk.com/Documentation/Splunk/latest/Admin/Wheretofindtheconfigurationfiles multiple times, along with experimenting with different app naming and btool debug for validation. Myapp\local\ is not an option, as these will also be used for Splunk Cloud, which doesn’t allow \local\ customization.

Lets take a simple example of eventtype overriding, which is clearly a search-time / App/user configuration file and thus uses reverse-lexicographical order.

\apps\Splunk_TA_bluecoat-proxysg\default\eventtypes.conf
[bluecoat_proxy]
search = sourcetype=bluecoat:proxysg:access* NOT bluecoat_header="#"


\apps\z_myapp_Splunk_TA_bluecoat-proxysg\default\eventtypes.conf
[bluecoat_proxy]
search = sourcetype=bluecoat:proxysg:access* OR sourcetype=bcoat_proxysg* NOT bluecoat_header="#"

splunk btool eventtypes list –debug shows Splunk_TA_bluecoat-proxysg wins:

C:\Splunk\etc\apps\Splunk_TA_bluecoat-proxysg\default\eventtypes.conf        [bluecoat_proxy]
C:\Splunk\etc\system\default\eventtypes.conf                                    color =
C:\Splunk\etc\system\default\eventtypes.conf                                    description =
C:\Splunk\etc\system\default\eventtypes.conf                                    disabled = 0
C:\Splunk\etc\system\default\eventtypes.conf                                    priority = 1
C:\Splunk\etc\apps\Splunk_TA_bluecoat-proxysg\default\eventtypes.conf        search = sourcetype=bluecoat:proxysg:access* NOT bluecoat_header="#"
C:\Splunk\etc\system\default\eventtypes.conf                                    tags =

Renaming z_myapp_Splunk_TA_bluecoat-proxysg to myapp_Splunk_TA_bluecoat-proxysg (so now instead of sorting below Splunk_TA_bluecoat-proxysg, it sorts above), btool debug output remains unchanged. Splunk_TA_bluecoat-proxysg bluecoat_proxy event still “wins”.

default.meta in both addons is the same

[]
access = read : [ * ], write : [ admin,sc_admin]
export = system

I'm trying to avoid having to re-author every single addon we have customization for in the Cloud. The idea is to keep the Splunk/third-party made addon as-is and then apply our customization in a separate addon (as today, we're doing this in \addon\local\ which is not possible for Cloud) -- NOT editing the Splunk/third-party made addon directly.

Is it possible to accomplish this goal?

0 Karma

HiroshiSatoh
Champion

Is it "a_" instead of "z_"?

https://docs.splunk.com/Documentation/Splunk/7.3.1/Admin/Wheretofindtheconfigurationfiles

The finer points of lexicographical order

In the global context only, lexicographical order determines precedence. Thus, files in an apps directory named "A" have a higher priority than files in an apps directory named "B", and so on. Also, all apps starting with an uppercase letter have precedence over any apps starting with a lowercase letter, due to lexicographical order. ("A" has precedence over "Z", but "Z" has precedence over "a", for example.)

0 Karma

ChrisBell04
Communicator

Still appears to sort above the splunk TA, but went ahead and gave it a try. Still not working (this is with 7.2.8 on Windows). btool confirms my addon is being read -- just for other eventtypes not present in the splunk ta.

C:\Splunk\bin>splunk btool eventtypes list --debug
C:\Splunk\etc\apps\a_myapp_Splunk_TA_bluecoat-proxysg\default\eventtypes.conf [bluecoat_authentication]
C:\Splunk\etc\system\default\eventtypes.conf                                    color =
C:\Splunk\etc\system\default\eventtypes.conf                                    description =
C:\Splunk\etc\system\default\eventtypes.conf                                    disabled = 0
C:\Splunk\etc\system\default\eventtypes.conf                                    priority = 1
C:\Splunk\etc\apps\a_myapp_Splunk_TA_bluecoat-proxysg\default\eventtypes.conf search = sourcetype="bluecoat:proxysg:appliance:syslog" vendor_file="authconsole.cpp"
C:\Splunk\etc\system\default\eventtypes.conf                                    tags =
<snip>
C:\Splunk\etc\apps\Splunk_TA_bluecoat-proxysg\default\eventtypes.conf        [bluecoat_proxy]
C:\Splunk\etc\system\default\eventtypes.conf                                    color =
C:\Splunk\etc\system\default\eventtypes.conf                                    description =
C:\Splunk\etc\system\default\eventtypes.conf                                    disabled = 0
C:\Splunk\etc\system\default\eventtypes.conf                                    priority = 1
C:\Splunk\etc\apps\Splunk_TA_bluecoat-proxysg\default\eventtypes.conf        search = sourcetype=bluecoat:proxysg:access* NOT bluecoat_header="#"
C:\Splunk\etc\system\default\eventtypes.conf                                    tags =
0 Karma

stefan_ghita
Explorer

For btool to show search time precedence you have to specify the context (app and user).

splunk btool eventtypes list --debug --app=<app> --user=<user>

for example:

splunk btool eventtypes list --debug --app=search --user=admin
0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...