splunk tags.conf disable stanza

koshyk · ‎09-13-2019

We need to override a tags & eventtypes from one of the official TA (eg eventtype=ssh_authentication).

eventtypes.conf have disabled=true at a stanza level, but tags.conf does NOT have such ability as per spec.

Any chance to disable entire stanza of tags.conf?

What we are looking for is something like below in tags.conf

[eventtype=ssh_authentication]
disabled=true

PS: If we don't do this, there is a "WARN" while doing Splunk search in GUI saying "unable to find eventtype=xxxxx".

harsmarvania57 · ‎09-13-2019

Hi,

If I understand your question correctly then you want to disable tags based on eventtypes & you are talking about below eventtypes.conf stanza

[sshd_authentication]
# osx sshd authentication error
# Jul 16 11:10:45 mycomputer sshd[34666]: error: PAM: authentication error for xxx from localhost via ::1
search = (NOT sourcetype=stash) NOT sourcetype=ossec sshd (((Accepted OR Failed OR failure OR "Invalid user" OR "authentication error") from) OR "Authorized to" OR "Authentication tried" OR "Login restricted")
#tags = authentication remote

If this is the case then do not disable this stanza in eventtypes.conf but disable tags in tags.conf
So if you want to disable authentication tag then you can do below configuration in tags.conf

[eventtype=sshd_authentication]
authentication = disabled
remote = enabled

koshyk · ‎09-13-2019

but in as per your suggestion, the hard-work of eventtypes will be done by Splunk ?
So in above example, the [sshd_authentication] is done on EVERY single source-type and dataset, which is hugely inefficient & un-necessary step as we are not using the eventtype anymore.

splunk tags.conf disable stanza

Welcome to the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Adoption of RUM and APM at Splunk