lowell80
commented
3 years ago Unfortunately the recommendations provided by Splunk would render the app useless. (Splunk doesn't allow you to add field extractions to a built-in sourcetype, and that's kinda the primary point of this app.) Back when this app was created, the decision was made to simply use the existing sourcetype that Splunk ships with out-of-the-box and simply extend the definition, because after all there was nothing wrong with Splunk's default settings, we just wanted additional field extractions and CIM mappings. But in some situations this same behavior could be used to break other built-in sourcetypes, which seems like the reason Splunk Cloud is rejecting this approach.
On premise, you can make these decisions for yourself; you can evalue the TA, determine that it's safe to apply, and move on.
So the challenge now is this: Fixing this essentially requires (1) picking a new sourcetype name, and (2) copying the implied default settings from (system/default/props.conf) into the app. On its own, this is a trivial task. However, the implication of such a change is that this change will breaking things for existing users. So to combat that, we could have users rename postfix_syslog to the new sourcetype so that they could access any existing data already indexed, but users will still be stuck with updating any existing searches or dashboards that explicitly reference the name postfix_syslog. So there's no simply upgrade strategy :-(
So I need to come up with some new names (likely for the app and for the sourcetype) because this seems like the right time to get this moved to a NEW app that's published on Splunkbase.
lmnogues
I've downloaded the .tgz as per our email yesterday, but Splunk Support still came back with "Review fails vetting and cannot be installed.". Would you consider the recommendations in the email below?
Thank you for your recent Splunk Cloud App request. Our Splunk Cloud operations and security teams have determined that the App you've requested is not compatible and/or secure within the Splunk Cloud service architecture. Please see their comments below:
Custom 0.8.5 - TA-postfix
Review fails vetting and cannot be installed.
Props Configuration file standards Ensure that all props.conf files located in the default (or local) folder are well formed and valid. props.conf transforms.conf [failure] Check that pretrained sourctypes in props.conf have only "TRANSFORM-" or "SEDCMD" settings, and that those transforms only modify the host, source, or sourcetype. Only TRANSFORMS- or SEDCMD options are allowed for pretrained sourcetypes. File: default/props.conf Line Number: 7
If you wish to make changes to the app, you can find documentation and utilities to assist you here: https://urldefense.com/v3/__http://dev.splunk.com/view/appinspect/SP-CAAAE9U__;!!NVzLfOphnbDXSw!XbGBHNAefhEhdcB_1AQ7C0yaD4OpwjXeIcOWxRR1cuVsKZxm5mAwg-YabOjkqtRyCw$
We look forward to working with you in the future to develop and install Apps that will further improve your Splunk Cloud experience.?If you have any immediate questions or concerns, please let me know. If there are no questions at this time, please let me know and I will close this case.
Best Regards, Ashanjot Splunk Support