Hi Everyone,
I want to override EVAL statement exist in Splunkbase TA but don't want to modify in splunkbase TA. So I create custom TA and put same EVAL statement+extra category which I want to extract but it is not working. Can anybody please help me how I can do that.
Splunkbase TA config
/opt/splunk/etc/apps/TA-microsoft/default/props.conf EVAL-internal_message_id = case(category IN ("Events1", "Events2"),'properties.MessageId')
Custom TA config
/opt/splunk/etc/apps/A-csc_cyber_genric_sh_Splunk_TA/default/props.conf EVAL-internal_message_id = case(category IN ("Events1","Events2","Events3"),'properties.MessageId')
Thanks in Advance
Hi @sindhi,
I don't understand why you want to create a custom TA, when you can easily modify the splunkbase TA.
Anyway, to have your own TA, you have to:
Except the first activity that must manually done (and requires a Splunk restart), You can do the other activities by GUI interface or modifying the conf files,
in the first case you have to:
If instead you want to do this modifying conf files, you have to:
Then you have to copy the customized app to the destination Splunk servers (Indexers, Heavy Forwarders, etc...).
As I said I hint to use the baseline app modifyng (in the ways I described) the transformation.
Ciao.
Giuseppe
I can think of at least one use case when you'd prefer to have a custom TA instead of modifying the vanilla TA.
When you want to distribute it and modify the default behaviour on only part of your forwarders.
I know it's not the case (we're talking about search-time EVALs so no forwarders involved here) but it's a legitimate use case to manage the configuration this way and override some parts of the config.
In here - one can also argue that leaving the TA as it is and creating own app just with that one overridden EVAL is a way of separating your own settings from the settings provided by TA effectively allowing you to upgrade just the original TA without worrying about your override.
But this approach has two caveats:
1) If the original TA changes your override can still start behaving wrong. And separating it into another app can make debugging harder (but btool to the rescue ;-))
2) In search time there can be sometimes issues with file precedence. Maybe with TAs you rarely search within the context of TA but still - there is a possibility.
Oh, and remember that you don't have to copy whole original TA just to override one setting. But then again - precedence rules... 🙂
Your idea was relatively ok. But there are two things to consider.
1. Make sure the permissions are ok.
2. You need to name your application so that precedence rules are applied the way you want. See https://docs.splunk.com/Documentation/Splunk/8.2.6/Admin/Wheretofindtheconfigurationfiles