I have syslog coming into 2 forwarders.
I have the cisco app tagging the data for the Cisco Security Suite App.
I wanted to add a few lines to change the index to a new index instead of the default syslog one.
Cisco App has this:
## sourcetype identification #### [source::udp:514] TRANSFORMS-force_sourcetype_for_cisco = force_sourcetype_for_cisco_asa,force_sourcetype_for_cisco_pi x,force_sourcetype_for_cisco_fwsm
I want to create a new app and call it index-cleanup with a props file like:
Can I have multiple props files tweaking the source::udp:514 ?
who wins if there is a conflict that may be set in a future Cisco App update (ex: cisco app decides it wants to index to notWhereIwantItIndex)
the right way to override app defaults is with a local config within that app.
You can do what you're trying to do in 2 ways:
- override the setting in the Cisco app with a local config setting
- disable the setting in the Cisco app with a local config setting, then re-implement your way in another app
to override the setting in the application, make a directory "local" inside the app directory, create an inputs.conf there, add the stanza you'd like to modify or disable, and put the setting there.
In your case, this would be in
<Cisco app dir>/local/inputs.conf and the entry would be
to modify per your spec, or
[source::udp:514] disabled = 1
to disable - then make your app with the above setting in its own inputs.conf.
You can override required configurations in local folder and Splunk will use configurations from both local as well as a default folder. Please note configurations in local gets higher precedence over the same configurations in default folder.
i.e Following setting in CiscoApp/default
TRANSFORMS-force_sourcetype_for_cisco = force_sourcetype_for_cisco_asa,force_sourcetype_for_cisco_pi
what about a merge? i want to keep what the default app is doing for source type etc. i just want to modify the destination for metadata tag for index.
if i create a /local/inputs.conf and put in
does it merge with the other or override completely the default/inputs.conf?
The better option is to put the changes into Cisco Security App /local folder. Copy inputs.conf file into this folder and update the index as per your requirement. The local folder will not be updated with future upgrades.