I am trying to create a custom TA to normalize my data for the Splunk Enterprise Security app. I am using the Splunk Add-On Builder app.
In step 3, we have to add a sourcetype. When I add a sourcetype with the same name as the one that exists on my Splunk instance, it is supposed to find all the events related to that sourcetype and give me the count of those events.
However, when I do that (here I am using dummy data and adding the sourcetype 'access_combined' which matches the sourcetype name present on my Splunk instance), I am getting an error saying
The access_combined sourcetype already exists in Splunk Enterprise
Please let me know how to resolve this issue. Am I doing something wrong here?
PS: Please find attached the screenshot for further clarification.
My first question is why are you trying to create a new TA for access combined? It is in our “
List of pretrained source types” that is defined in the file
system/default/props.conf Add-On Builder is detecting this and preventing you because of the layering of apps and the rules of Precedence. If config is in a location with a higher precedence, your new TA will not be able to overrule it.
If your data differs from access combined, it should have a different sourcetype name.
If it is the same but you want to add a couple of field extractions you can just create a new app and build those extractions whilst in it.
If you want to normalise it to a data model, (which one/’s?) then it is a little more complex. Best practice is to create new apps on a development system where you can move any existing config to your new app without risking making a mistake in production. Only move to prod when you are happy.
If you have to do this in production, I would :-
props.conffrom the command line. Replacing
But this takes away most of the advantage of the Add-On Builder being GUI.