Hi everyone,
I am trying to create a custom TA to normalize my data for the Splunk Enterprise Security app. I am using the Splunk Add-On Builder app.
In step 3, we have to add a sourcetype. When I add a sourcetype with the same name as the one that exists on my Splunk instance, it is supposed to find all the events related to that sourcetype and give me the count of those events.
However, when I do that (here I am using dummy data and adding the sourcetype 'access_combined' which matches the sourcetype name present on my Splunk instance), I am getting an error saying
The access_combined sourcetype already exists in Splunk Enterprise
Please let me know how to resolve this issue. Am I doing something wrong here?
Thank you.
PS: Please find attached the screenshot for further clarification.
... View more