Dashboards & Visualizations
Highlighted

Is is possible for addon configuration to overwrite another addon with defaults?

Communicator

Looking for guidance on how one app can overwrite configurations in another app.

Have already ready over https://docs.splunk.com/Documentation/Splunk/latest/Admin/Wheretofindtheconfigurationfiles multiple times, along with experimenting with different app naming and btool debug for validation. Myapp\local\ is not an option, as these will also be used for Splunk Cloud, which doesn’t allow \local\ customization.

Lets take a simple example of eventtype overriding, which is clearly a search-time / App/user configuration file and thus uses reverse-lexicographical order.

\apps\Splunk_TA_bluecoat-proxysg\default\eventtypes.conf
[bluecoat_proxy]
search = sourcetype=bluecoat:proxysg:access* NOT bluecoat_header="#"


\apps\z_myapp_Splunk_TA_bluecoat-proxysg\default\eventtypes.conf
[bluecoat_proxy]
search = sourcetype=bluecoat:proxysg:access* OR sourcetype=bcoat_proxysg* NOT bluecoat_header="#"

splunk btool eventtypes list –debug shows SplunkTAbluecoat-proxysg wins:

C:\Splunk\etc\apps\Splunk_TA_bluecoat-proxysg\default\eventtypes.conf        [bluecoat_proxy]
C:\Splunk\etc\system\default\eventtypes.conf                                    color =
C:\Splunk\etc\system\default\eventtypes.conf                                    description =
C:\Splunk\etc\system\default\eventtypes.conf                                    disabled = 0
C:\Splunk\etc\system\default\eventtypes.conf                                    priority = 1
C:\Splunk\etc\apps\Splunk_TA_bluecoat-proxysg\default\eventtypes.conf        search = sourcetype=bluecoat:proxysg:access* NOT bluecoat_header="#"
C:\Splunk\etc\system\default\eventtypes.conf                                    tags =

Renaming zmyappSplunkTAbluecoat-proxysg to myappSplunkTAbluecoat-proxysg (so now instead of sorting below SplunkTAbluecoat-proxysg, it sorts above), btool debug output remains unchanged. SplunkTAbluecoat-proxysg bluecoatproxy event still “wins”.

default.meta in both addons is the same

[]
access = read : [ * ], write : [ admin,sc_admin]
export = system

I'm trying to avoid having to re-author every single addon we have customization for in the Cloud. The idea is to keep the Splunk/third-party made addon as-is and then apply our customization in a separate addon (as today, we're doing this in \addon\local\ which is not possible for Cloud) -- NOT editing the Splunk/third-party made addon directly.

Is it possible to accomplish this goal?

0 Karma
Highlighted

Re: Is is possible for addon configuration to overwrite another addon with defaults?

Champion

Is it "a" instead of "z"?

https://docs.splunk.com/Documentation/Splunk/7.3.1/Admin/Wheretofindtheconfigurationfiles

The finer points of lexicographical order

In the global context only, lexicographical order determines precedence. Thus, files in an apps directory named "A" have a higher priority than files in an apps directory named "B", and so on. Also, all apps starting with an uppercase letter have precedence over any apps starting with a lowercase letter, due to lexicographical order. ("A" has precedence over "Z", but "Z" has precedence over "a", for example.)

0 Karma
Highlighted

Re: Is is possible for addon configuration to overwrite another addon with defaults?

Communicator

Still appears to sort above the splunk TA, but went ahead and gave it a try. Still not working (this is with 7.2.8 on Windows). btool confirms my addon is being read -- just for other eventtypes not present in the splunk ta.

C:\Splunk\bin>splunk btool eventtypes list --debug
C:\Splunk\etc\apps\a_myapp_Splunk_TA_bluecoat-proxysg\default\eventtypes.conf [bluecoat_authentication]
C:\Splunk\etc\system\default\eventtypes.conf                                    color =
C:\Splunk\etc\system\default\eventtypes.conf                                    description =
C:\Splunk\etc\system\default\eventtypes.conf                                    disabled = 0
C:\Splunk\etc\system\default\eventtypes.conf                                    priority = 1
C:\Splunk\etc\apps\a_myapp_Splunk_TA_bluecoat-proxysg\default\eventtypes.conf search = sourcetype="bluecoat:proxysg:appliance:syslog" vendor_file="authconsole.cpp"
C:\Splunk\etc\system\default\eventtypes.conf                                    tags =
<snip>
C:\Splunk\etc\apps\Splunk_TA_bluecoat-proxysg\default\eventtypes.conf        [bluecoat_proxy]
C:\Splunk\etc\system\default\eventtypes.conf                                    color =
C:\Splunk\etc\system\default\eventtypes.conf                                    description =
C:\Splunk\etc\system\default\eventtypes.conf                                    disabled = 0
C:\Splunk\etc\system\default\eventtypes.conf                                    priority = 1
C:\Splunk\etc\apps\Splunk_TA_bluecoat-proxysg\default\eventtypes.conf        search = sourcetype=bluecoat:proxysg:access* NOT bluecoat_header="#"
C:\Splunk\etc\system\default\eventtypes.conf                                    tags =
0 Karma
Highlighted

Re: Is is possible for addon configuration to overwrite another addon with defaults?

Explorer

For btool to show search time precedence you have to specify the context (app and user).

splunk btool eventtypes list --debug --app=<app> --user=<user>

for example:

splunk btool eventtypes list --debug --app=search --user=admin
0 Karma