We are trying to override a field in Splunk_TA_nix. Rather than working on Splunk_TA_nix (local), we have a separate add-on for our company's customized settings. The add-on have higher order in ASCII ( MY_nix_addon )But when it comes to eventtypes.conf, somehow the override is NOT working.
/opt/splunk/etc/system/default/eventtypes.conf color =
/opt/splunk/etc/system/default/eventtypes.conf description =
/opt/splunk/etc/system/default/eventtypes.conf disabled = 0
/opt/splunk/etc/system/default/eventtypes.conf priority = 1
/opt/splunk/etc/apps/MY_nix_addon/local/eventtypes.conf search = (index=idx_os) sshd (((Accepted OR Failed OR failure OR "Invalid user" OR "authentication error") from) OR "Authorized to" OR "Authentication tried" OR "Login restricted")
But literal search still goes back to the one in /opt/splunk/etc/apps/Splunk_TA_nix/local/eventtypes.conf entry and is not restricted based on index. The actual search happens but on original Splunk_TA_nix
(NOT sourcetype=stash) NOT sourcetype=ossec sshd (((Accepted OR Failed OR failure OR "Invalid user" OR "authentication error") from) OR "Authorized to" OR "Authentication tried" OR "Login restricted")
The rest of the props.conf, transforms.conf works perfectly and if it shows in btool, the outcome is similar and we have been doing this for years. Somehow the eventtypes.conf btool vs literal search differs !! (I've restarted multiple times). Running the search by copy-paste works perfectly too.
any idea about this issue? Any other tricky things done by SplunkTAnix ?
Update: in the WebUI, rather than merging it into single eventtype, it shows as two eventtypes !!