All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Splunk Add-On Builder: When I add a sourcetype, why am I getting error "The [access_combined for example] sourcetype already exists in Splunk Enterprise"?

hpurabiya
New Member
‎06-27-2016 01:25 PM

Hi everyone,

I am trying to create a custom TA to normalize my data for the Splunk Enterprise Security app. I am using the Splunk Add-On Builder app.

In step 3, we have to add a sourcetype. When I add a sourcetype with the same name as the one that exists on my Splunk instance, it is supposed to find all the events related to that sourcetype and give me the count of those events.

However, when I do that (here I am using dummy data and adding the sourcetype 'access_combined' which matches the sourcetype name present on my Splunk instance), I am getting an error saying 

The access_combined sourcetype already exists in Splunk Enterprise

Please let me know how to resolve this issue. Am I doing something wrong here?

Thank you.

PS: Please find attached the screenshot for further clarification.

Preview file
1 KB
0 Karma
Reply

chli_splunk
Splunk Employee
Splunk Employee
‎09-21-2016 06:10 PM

In Add-on Builder v1.1.0, we can import an existing sourcetype into Add-on Builder. Just click "Import" in step 3, and select one existing sourcetype in the dropdown list.

0 Karma
Reply

bmunson_splunk
Splunk Employee
Splunk Employee
‎06-29-2016 11:16 AM

My first question is why are you trying to create a new TA for access combined? It is in our “List of pretrained source types” that is defined in the file system/default/props.conf Add-On Builder is detecting this and preventing you because of the layering of apps and the rules of Precedence. If config is in a location with a higher precedence, your new TA will not be able to overrule it.

If your data differs from access combined, it should have a different sourcetype name.

If it is the same but you want to add a couple of field extractions you can just create a new app and build those extractions whilst in it.

If you want to normalise it to a data model, (which one/’s?) then it is a little more complex. Best practice is to create new apps on a development system where you can move any existing config to your new app without risking making a mistake in production. Only move to prod when you are happy.

If you have to do this in production, I would :-

  1. First create a new sourcetype I called it ac2
  2. Under advanced delete the category line and replace it with REPORT-access = access-extractions
  3. Then click next
  4. Upload sample data and continue as normal.
  5. Once you have built your app, edit the app’s props.conf from the command line. Replacing ac2 with access_combined
  6. reboot splunk for it to take effect.

But this takes away most of the advantage of the Add-On Builder being GUI.

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing Splunk Enterprise 9.2

WATCH HERE! Watch this Tech Talk to learn about the latest features and enhancements shipped in the new Splunk ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...