Currently I'm using the App and it's pulling Message Trace event successfully. I want to make a second copy of the App and replace microsoft_trace_url to use ** https://reports.office365.com/ecp/reportingwebservice/reporting.svc/MailDetailMalware? ** and would also like to change the Sourcetype to ** ms:o365:reporting:maildetailmalware**. The MailDetailMalware API works the same as MessageTrace API, so no other changes need to be made to the script. I tried making a copy of the App, renaming any content/scripts/variables/filenames that mention message_trace or messagetrace to a different variant, and it still did not work. This is my first time modifying a Splunk App that was built with the Add-on Builder, so I'm not 100% sure all that needs to be modified. I know the URL is modified in input_module_ms_o365_message_trace.py, but I'm not sure about the Sourcetype. Like I said, I've tried renaming the App and its content so that I can run the two apps side by side, but was not successful. It seemed to error because of duplicate (maybe?) app IDs.
@jconger - Any advice?
The easiest way to do this is to create a new add-on using the Add-on Builder. This way, your changes will not get wiped out when new versions of the existing add-on get released. Here are the steps at a high level: