All Apps and Add-ons

Splunk Add-On Builder: When I add a sourcetype, why am I getting error "The [access_combined for example] sourcetype already exists in Splunk Enterprise"?

hpurabiya
New Member

Hi everyone,

I am trying to create a custom TA to normalize my data for the Splunk Enterprise Security app. I am using the Splunk Add-On Builder app.

In step 3, we have to add a sourcetype. When I add a sourcetype with the same name as the one that exists on my Splunk instance, it is supposed to find all the events related to that sourcetype and give me the count of those events.

However, when I do that (here I am using dummy data and adding the sourcetype 'access_combined' which matches the sourcetype name present on my Splunk instance), I am getting an error saying

The access_combined sourcetype already exists in Splunk Enterprise

Please let me know how to resolve this issue. Am I doing something wrong here?

Thank you.

PS: Please find attached the screenshot for further clarification.

0 Karma

chli_splunk
Splunk Employee
Splunk Employee

In Add-on Builder v1.1.0, we can import an existing sourcetype into Add-on Builder. Just click "Import" in step 3, and select one existing sourcetype in the dropdown list.

0 Karma

bmunson_splunk
Splunk Employee
Splunk Employee

My first question is why are you trying to create a new TA for access combined? It is in our “List of pretrained source types” that is defined in the file system/default/props.conf Add-On Builder is detecting this and preventing you because of the layering of apps and the rules of Precedence. If config is in a location with a higher precedence, your new TA will not be able to overrule it.

If your data differs from access combined, it should have a different sourcetype name.

If it is the same but you want to add a couple of field extractions you can just create a new app and build those extractions whilst in it.

If you want to normalise it to a data model, (which one/’s?) then it is a little more complex. Best practice is to create new apps on a development system where you can move any existing config to your new app without risking making a mistake in production. Only move to prod when you are happy.

If you have to do this in production, I would :-

  1. First create a new sourcetype I called it ac2
  2. Under advanced delete the category line and replace it with REPORT-access = access-extractions
  3. Then click next
  4. Upload sample data and continue as normal.
  5. Once you have built your app, edit the app’s props.conf from the command line. Replacing ac2 with access_combined
  6. reboot splunk for it to take effect.

But this takes away most of the advantage of the Add-On Builder being GUI.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...