I have syslog coming into 2 forwarders.
I have the cisco app tagging the data for the Cisco Security Suite App.
I wanted to add a few lines to change the index to a new index instead of the default syslog one.
Cisco App has this:
## sourcetype identification
####
[source::udp:514]
TRANSFORMS-force_sourcetype_for_cisco = force_sourcetype_for_cisco_asa,force_sourcetype_for_cisco_pi
x,force_sourcetype_for_cisco_fwsm
I want to create a new app and call it index-cleanup with a props file like:
[source::udp:514]
TRANSFORMS-SendtoCiscoIndex
Can I have multiple props files tweaking the source::udp:514 ?
who wins if there is a conflict that may be set in a future Cisco App update (ex: cisco app decides it wants to index to notWhereIwantItIndex)
thanks
GD
the right way to override app defaults is with a local config within that app.
You can do what you're trying to do in 2 ways:
- override the setting in the Cisco app with a local config setting
- disable the setting in the Cisco app with a local config setting, then re-implement your way in another app
to override the setting in the application, make a directory "local" inside the app directory, create an inputs.conf there, add the stanza you'd like to modify or disable, and put the setting there.
In your case, this would be in <Cisco app dir>/local/inputs.conf
and the entry would be
[source::udp:514]
TRANSFORMS-SendtoCiscoIndex
to modify per your spec, or
[source::udp:514]
disabled = 1
to disable - then make your app with the above setting in its own inputs.conf.
You can override required configurations in local folder and Splunk will use configurations from both local as well as a default folder. Please note configurations in local gets higher precedence over the same configurations in default folder.
i.e Following setting in CiscoApp/default
[source::udp:514]
TRANSFORMS-force_sourcetype_for_cisco = force_sourcetype_for_cisco_asa,force_sourcetype_for_cisco_pi
x,force_sourcetype_for_cisco_fwsm
CiscoApp/local
[source::udp:514]
TRANSFORMS-SendtoCiscoIndex
what about a merge? i want to keep what the default app is doing for source type etc. i just want to modify the destination for metadata tag for index.
if i create a /local/inputs.conf and put in
[source::udp:514]
TRANSFORMS-SendtoCiscoIndex
does it merge with the other or override completely the default/inputs.conf?
The better option is to put the changes into Cisco Security App /local folder. Copy inputs.conf file into this folder and update the index as per your requirement. The local folder will not be updated with future upgrades.