We need to override a tags & eventtypes from one of the official TA (eg eventtype=ssh_authentication
).
eventtypes.conf have disabled=true
at a stanza level, but tags.conf does NOT have such ability as per spec.
Any chance to disable entire stanza of tags.conf?
What we are looking for is something like below in tags.conf
[eventtype=ssh_authentication]
disabled=true
PS: If we don't do this, there is a "WARN" while doing Splunk search in GUI saying "unable to find eventtype=xxxxx".
Hi,
If I understand your question correctly then you want to disable tags based on eventtypes & you are talking about below eventtypes.conf stanza
[sshd_authentication]
# osx sshd authentication error
# Jul 16 11:10:45 mycomputer sshd[34666]: error: PAM: authentication error for xxx from localhost via ::1
search = (NOT sourcetype=stash) NOT sourcetype=ossec sshd (((Accepted OR Failed OR failure OR "Invalid user" OR "authentication error") from) OR "Authorized to" OR "Authentication tried" OR "Login restricted")
#tags = authentication remote
If this is the case then do not disable this stanza in eventtypes.conf but disable tags in tags.conf
So if you want to disable authentication
tag then you can do below configuration in tags.conf
[eventtype=sshd_authentication]
authentication = disabled
remote = enabled
but in as per your suggestion, the hard-work of eventtypes will be done by Splunk ?
So in above example, the [sshd_authentication]
is done on EVERY single source-type and dataset, which is hugely inefficient & un-necessary step as we are not using the eventtype anymore.