Monitoring Splunk

Splunk btool vs literal search differ

koshyk
Super Champion

We are trying to override a field in Splunk_TA_nix.
Rather than working on Splunk_TA_nix (local), we have a separate add-on for our company's customized settings. The add-on have higher order in ASCII ( MY_nix_addon )But when it comes to eventtypes.conf, somehow the override is NOT working.

Btool output.

/opt/splunk/etc/apps/MY_nix_addon/local/eventtypes.conf            [sshd_authentication]
/opt/splunk/etc/system/default/eventtypes.conf                          color = 
/opt/splunk/etc/system/default/eventtypes.conf                          description = 
/opt/splunk/etc/system/default/eventtypes.conf                          disabled = 0
/opt/splunk/etc/system/default/eventtypes.conf                          priority = 1
/opt/splunk/etc/apps/MY_nix_addon/local/eventtypes.conf            search = (index=idx_os) sshd (((Accepted OR Failed OR failure OR "Invalid user" OR "authentication error") from) OR "Authorized to" OR "Authentication tried" OR "Login restricted") 

But literal search still goes back to the one in /opt/splunk/etc/apps/Splunk_TA_nix/local/eventtypes.conf entry and is not restricted based on index. The actual search happens but on original Splunk_TA_nix

(NOT sourcetype=stash) NOT sourcetype=ossec sshd (((Accepted OR Failed OR failure OR "Invalid user" OR "authentication error") from) OR "Authorized to" OR "Authentication tried" OR "Login restricted")

The rest of the props.conf, transforms.conf works perfectly and if it shows in btool, the outcome is similar and we have been doing this for years. Somehow the eventtypes.conf btool vs literal search differs !! (I've restarted multiple times). Running the search by copy-paste works perfectly too.

any idea about this issue? Any other tricky things done by Splunk_TA_nix ?

Update:
in the WebUI, rather than merging it into single eventtype, it shows as two eventtypes !!
alt text

Labels (1)
0 Karma
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Think Like an Architect: Introducing the Splunk Certified Cybersecurity Defense ...

In cybersecurity, defenders respond to threats. Architects design the systems that stop them.    As ...

Best Practices: Splunk auto adjust pipeline queue

When you enable autoAdjustQueue in Splunk, maxSize should be understood as the queue size Splunk starts with ...

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...