All Apps and Add-ons

Splunk Add-On Builder: When I add a sourcetype, why am I getting error "The [access_combined for example] sourcetype already exists in Splunk Enterprise"?

New Member

Hi everyone,

I am trying to create a custom TA to normalize my data for the Splunk Enterprise Security app. I am using the Splunk Add-On Builder app.

In step 3, we have to add a sourcetype. When I add a sourcetype with the same name as the one that exists on my Splunk instance, it is supposed to find all the events related to that sourcetype and give me the count of those events.

However, when I do that (here I am using dummy data and adding the sourcetype 'access_combined' which matches the sourcetype name present on my Splunk instance), I am getting an error saying

The access_combined sourcetype already exists in Splunk Enterprise

Please let me know how to resolve this issue. Am I doing something wrong here?

Thank you.

PS: Please find attached the screenshot for further clarification.

0 Karma

Splunk Employee
Splunk Employee

In Add-on Builder v1.1.0, we can import an existing sourcetype into Add-on Builder. Just click "Import" in step 3, and select one existing sourcetype in the dropdown list.

0 Karma

Splunk Employee
Splunk Employee

My first question is why are you trying to create a new TA for access combined? It is in our “List of pretrained source types” that is defined in the file system/default/props.conf Add-On Builder is detecting this and preventing you because of the layering of apps and the rules of Precedence. If config is in a location with a higher precedence, your new TA will not be able to overrule it.

If your data differs from access combined, it should have a different sourcetype name.

If it is the same but you want to add a couple of field extractions you can just create a new app and build those extractions whilst in it.

If you want to normalise it to a data model, (which one/’s?) then it is a little more complex. Best practice is to create new apps on a development system where you can move any existing config to your new app without risking making a mistake in production. Only move to prod when you are happy.

If you have to do this in production, I would :-

  1. First create a new sourcetype I called it ac2
  2. Under advanced delete the category line and replace it with REPORT-access = access-extractions
  3. Then click next
  4. Upload sample data and continue as normal.
  5. Once you have built your app, edit the app’s props.conf from the command line. Replacing ac2 with access_combined
  6. reboot splunk for it to take effect.

But this takes away most of the advantage of the Add-On Builder being GUI.

0 Karma