All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Splunk Add-on for ServiceNow 2.6.0: Why does the latest version of the app use the [default] stanza, overriding other sourcetypes in my environment?

jgoddard
Path Finder
‎06-25-2015 10:34 AM

The most recent version of this app has a change that makes it bad.

The default/props.conf contains:

[default]
MAX_TIMESTAMP_LOOKAHEAD = 1
SHOULD_LINEMERGE = false
TIME_FORMAT = %Y-%m-%d %H:%M:%S
TZ = UTC
REPORT-sys_id = sys_id

the [default] stanza should NOT be used in an app, as it overrides EVERYTHING that isn't specifically set somewhere else. So, for every sourcetype in my environment now, I have a "REPORT=sys_id = sys_id". And for any other sourcetype, where the MAX_TIMESTAMP_LOOKAHEAD isn't specifically set, is now getting that setting of only look 1 character forward... Not going to pick up many timestamps that way. btool reports picking up stanzas from Splunk_TA_snow for just about all of my sourcetypes.

I am reverting [default] to [snow] in my copy, which is what it was previously, and that should provide the default settings to all the snow: sourcetypes but NOT globally override other settings.

Jim

0 Karma
Reply

bwooden
Splunk Employee
Splunk Employee
‎06-25-2015 01:45 PM

That is a valid point and concern, @jgoddard. I've downloaded the latest copy of the Splunk Add-on for ServiceNow and do not see a [default] stanza within its default/props.conf. Would you be able to provide a copy of your default/app.conf to make an investigation easier?

Reply

jgoddard
Path Finder
‎06-25-2015 02:05 PM

Ok, that is what i get for not checking versions. The issue I ranted about is indeed not present in the 2.6.0 version of the TA, it does exist in 2.5.0, which is what i was seeing.

I will update mine to the current version.

Thanks for fixing, and the tip!

Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...