Deployment Architecture
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How do you override a default app setting on a search head cluster?

john_dagostino
Path Finder
‎02-11-2019 05:49 AM

We are using the Palo Alto TA and pushing the default app to our search head cluster. In props.conf there is an automatic lookup which references a KV store that is empty, causing errors when searching that data source on the search heads:

LOOKUP-minemeldfeeds_src_lookup = minemeldfeeds_lookup indicator AS src_ip OUTPUT value.autofocus_tags AS src_autofocus_tags

I've tried creating the same stanza in local/props.conf on the deployer without specifying the lookup but that just brings additional errors:

LOOKUP-minemeldfeeds_src_lookup =

We don't plan on using the minemeldfeeds so I don't see a need for this automatic lookup. Other than remarking the line in default, how would we disable a default setting in an app on the search heads?

0 Karma
Reply

lakshman239
Influencer
‎02-11-2019 06:56 AM

whats your version of splunk core, ES, CIM and PA add-on? we are on 7.0.3/ 5.0.x, 4.11.0 and 6.0.2 and don't use mimemeldfeeds and I don't see any error when searching sourcetype=pan:threat.

What error are you seeing? what's your search?

you may be able to override the default/transforms.conf def with local/transforms definition, but thats' normally not needed.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...