Deployment Architecture
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How do you override a default app setting on a search head cluster?

john_dagostino
Path Finder
‎02-11-2019 05:49 AM

We are using the Palo Alto TA and pushing the default app to our search head cluster. In props.conf there is an automatic lookup which references a KV store that is empty, causing errors when searching that data source on the search heads:

LOOKUP-minemeldfeeds_src_lookup = minemeldfeeds_lookup indicator AS src_ip OUTPUT value.autofocus_tags AS src_autofocus_tags

I've tried creating the same stanza in local/props.conf on the deployer without specifying the lookup but that just brings additional errors:

LOOKUP-minemeldfeeds_src_lookup =

We don't plan on using the minemeldfeeds so I don't see a need for this automatic lookup. Other than remarking the line in default, how would we disable a default setting in an app on the search heads?

0 Karma
Reply

lakshman239
Influencer
‎02-11-2019 06:56 AM

whats your version of splunk core, ES, CIM and PA add-on? we are on 7.0.3/ 5.0.x, 4.11.0 and 6.0.2 and don't use mimemeldfeeds and I don't see any error when searching sourcetype=pan:threat.

What error are you seeing? what's your search?

you may be able to override the default/transforms.conf def with local/transforms definition, but thats' normally not needed.

0 Karma
Reply
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...