How do you override a default app setting on a sea...

john_dagostino · ‎02-11-2019

We are using the Palo Alto TA and pushing the default app to our search head cluster. In props.conf there is an automatic lookup which references a KV store that is empty, causing errors when searching that data source on the search heads:

LOOKUP-minemeldfeeds_src_lookup = minemeldfeeds_lookup indicator AS src_ip OUTPUT value.autofocus_tags AS src_autofocus_tags

I've tried creating the same stanza in local/props.conf on the deployer without specifying the lookup but that just brings additional errors:

LOOKUP-minemeldfeeds_src_lookup =

We don't plan on using the minemeldfeeds so I don't see a need for this automatic lookup. Other than remarking the line in default, how would we disable a default setting in an app on the search heads?

lakshman239 · ‎02-11-2019

whats your version of splunk core, ES, CIM and PA add-on? we are on 7.0.3/ 5.0.x, 4.11.0 and 6.0.2 and don't use mimemeldfeeds and I don't see any error when searching sourcetype=pan:threat.

What error are you seeing? what's your search?

you may be able to override the default/transforms.conf def with local/transforms definition, but thats' normally not needed.

How do you override a default app setting on a search head cluster?

Splunk Lantern | Getting Started with Edge Processor, Machine Learning Toolkit ...

Enterprise Security Content Update (ESCU) | New Releases

Announcing the 1st Round Champion’s Tribute Winners of the Great Resilience Quest