At a yet to be determined interval, several times throughout the day, my /opt/splunk/etc/apps/TA_linux-auditd/lookups/auditd_indicies.csv file becomes truncated. The app stops working. I can resolve the issue adding the "*" index back to the file.
My events are being logged to the indexer/search head using a custom index called "auth"
Is there a way to prevent this behavior from happening?
You can disable the periodic update of auditd_indicies.csv by going to Settings -> Searches, reports, and alerts -> Change the 'App Context' dropdown to 'Linux Auditd Technology Add-On (TA_linux-auditd)' -> Click 'Disable' next to the 'Update auditd_indicies lookup' search.
In what way is the lookup being truncated? The saved search mentioned above uses this (| tstats values(sourcetype) as sourcetype where [|inputlookup auditd_sourcetypes] by index | table index | outputlookup auditd_indicies) to update the auditd_indicies.csv lookup every four hours. If the auditd_indicies.csv lookup is empty after this runs, I think the issue may be that there's a problem with auditd_sourcetypes.csv - have you modified it and if so could you please provide?
Here's an example of what an auditd_sourcetypes.csv should look like if you've modified it to support the vendor's old sourcetype naming convention:
sourcetype
linux:audit
linux_audit