Linux Auditd: Why does auditd_indicies.csv become ...

atomiccolo · ‎03-31-2016

At a yet to be determined interval, several times throughout the day, my /opt/splunk/etc/apps/TA_linux-auditd/lookups/auditd_indicies.csv file becomes truncated. The app stops working. I can resolve the issue adding the "*" index back to the file.

My events are being logged to the indexer/search head using a custom index called "auth"

Is there a way to prevent this behavior from happening?

doksu · ‎03-31-2016

You can disable the periodic update of auditd_indicies.csv by going to Settings -> Searches, reports, and alerts -> Change the 'App Context' dropdown to 'Linux Auditd Technology Add-On (TA_linux-auditd)' -> Click 'Disable' next to the 'Update auditd_indicies lookup' search.

In what way is the lookup being truncated? The saved search mentioned above uses this (| tstats values(sourcetype) as sourcetype where [|inputlookup auditd_sourcetypes] by index | table index | outputlookup auditd_indicies) to update the auditd_indicies.csv lookup every four hours. If the auditd_indicies.csv lookup is empty after this runs, I think the issue may be that there's a problem with auditd_sourcetypes.csv - have you modified it and if so could you please provide?

Here's an example of what an auditd_sourcetypes.csv should look like if you've modified it to support the vendor's old sourcetype naming convention:

sourcetype
linux:audit
linux_audit

Linux Auditd: Why does auditd_indicies.csv become truncated several times a day and the app stops working?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

May 2026 Splunk Expert Sessions: Security & Observability

Join the Conversation