How to override EVAL statement that exist in Splun...

sindhi · ‎04-30-2022

Hi Everyone,

I want to override EVAL statement exist in Splunkbase TA but don't want to modify in splunkbase TA. So I create custom TA and put same EVAL statement+extra category which I want to extract but it is not working. Can anybody please help me how I can do that.

Splunkbase TA config

/opt/splunk/etc/apps/TA-microsoft/default/props.conf EVAL-internal_message_id = case(category IN ("Events1", "Events2"),'properties.MessageId')

Custom TA config

/opt/splunk/etc/apps/A-csc_cyber_genric_sh_Splunk_TA/default/props.conf EVAL-internal_message_id = case(category IN ("Events1","Events2","Events3"),'properties.MessageId')

Thanks in Advance

gcusello · ‎04-30-2022

Hi @sindhi,

I don't understand why you want to create a custom TA, when you can easily modify the splunkbase TA.

Anyway, to have your own TA, you have to:

copy the splunkbase TA in another folder with a diferent name,
manually modify apps.conf,
manually modify props.conf.

Except the first activity that must manually done (and requires a Splunk restart), You can do the other activities by GUI interface or modifying the conf files,

in the first case you have to:

apps.conf
- manage Apps,
- choose the App to customize,
- open "Edit Properties"
- change the name of the App
props.conf
- Settings
- Fields
- Calculated Fields
- choose the transformation to modify
- modify the transformation

If instead you want to do this modifying conf files, you have to:

move to $SPLUNK_HOME/etc/apps/<your_app>/default
copy app.conf in ../local (if not present create the new folder)
copy props.conf in ../local
move in local
manually modify app.conf changing the app name
manually modify props.conf changing the transformation
restart Splunk.

Then you have to copy the customized app to the destination Splunk servers (Indexers, Heavy Forwarders, etc...).

As I said I hint to use the baseline app modifyng (in the ways I described) the transformation.

Ciao.

Giuseppe

PickleRick · ‎04-30-2022

I can think of at least one use case when you'd prefer to have a custom TA instead of modifying the vanilla TA.

When you want to distribute it and modify the default behaviour on only part of your forwarders.

I know it's not the case (we're talking about search-time EVALs so no forwarders involved here) but it's a legitimate use case to manage the configuration this way and override some parts of the config.

In here - one can also argue that leaving the TA as it is and creating own app just with that one overridden EVAL is a way of separating your own settings from the settings provided by TA effectively allowing you to upgrade just the original TA without worrying about your override.

But this approach has two caveats:

1) If the original TA changes your override can still start behaving wrong. And separating it into another app can make debugging harder (but btool to the rescue ;-))

2) In search time there can be sometimes issues with file precedence. Maybe with TAs you rarely search within the context of TA but still - there is a possibility.

Oh, and remember that you don't have to copy whole original TA just to override one setting. But then again - precedence rules... 🙂

PickleRick · ‎04-30-2022

Your idea was relatively ok. But there are two things to consider.

1. Make sure the permissions are ok.

2. You need to name your application so that precedence rules are applied the way you want. See https://docs.splunk.com/Documentation/Splunk/8.2.6/Admin/Wheretofindtheconfigurationfiles

How to override EVAL statement that exist in Splunkbase TA but don't want to modify in splunkbase TA?

other

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life