Splunk Search

splunk tags.conf disable stanza

koshyk
Super Champion

We need to override a tags & eventtypes from one of the official TA (eg eventtype=ssh_authentication).

eventtypes.conf have disabled=true at a stanza level, but tags.conf does NOT have such ability as per spec.

Any chance to disable entire stanza of tags.conf?

What we are looking for is something like below in tags.conf

[eventtype=ssh_authentication]
disabled=true

PS: If we don't do this, there is a "WARN" while doing Splunk search in GUI saying "unable to find eventtype=xxxxx".

0 Karma

harsmarvania57
Ultra Champion

Hi,

If I understand your question correctly then you want to disable tags based on eventtypes & you are talking about below eventtypes.conf stanza

[sshd_authentication]
# osx sshd authentication error
# Jul 16 11:10:45 mycomputer sshd[34666]: error: PAM: authentication error for xxx from localhost via ::1
search = (NOT sourcetype=stash) NOT sourcetype=ossec sshd (((Accepted OR Failed OR failure OR "Invalid user" OR "authentication error") from) OR "Authorized to" OR "Authentication tried" OR "Login restricted")
#tags = authentication remote

If this is the case then do not disable this stanza in eventtypes.conf but disable tags in tags.conf
So if you want to disable authentication tag then you can do below configuration in tags.conf

[eventtype=sshd_authentication]
authentication = disabled
remote = enabled
0 Karma

koshyk
Super Champion

but in as per your suggestion, the hard-work of eventtypes will be done by Splunk ?
So in above example, the [sshd_authentication] is done on EVERY single source-type and dataset, which is hugely inefficient & un-necessary step as we are not using the eventtype anymore.

0 Karma
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...