doksu
commented
8 years ago Hi Brandon,
Thanks very much for opening this issue.
The Linux Auditd app for Splunk was originally developed for the vendor's first "Apptitude" competition. One of the rules in the competition was that this document (http://challenges.s3.amazonaws.com/splunk/Best%20Practices%20App%20building.pdf) was to be followed exactly. On page 4 it specified the convention 'TAvendor-product' so I used that even though at the time I thought it was at odds with the more widely accepted 'TA-' convention. It seemed the vendor was moving in the 'TA' convention direction, similar to the sourcetype naming convention change they made from _ to :.
I considered renaming the app to resolve the issue you've raised, but that too could be problematic and so I raised an RFE with support to add '|(TA_.)' to the app_regex. In the interim, my suggestion would be to create a local appregex with 'TA'; I should add this to the documentation :).
Thanks, Doksu
brandonganem
Just a quick note - Splunk Enterprise Security has an import filter for TAs: appregex = (search)|([ST]A-.)|(Splunk[ST]A.)|(DA-ESS-.)|(SplunkDA-ESS._)
This means when the TA is named "TA_" it will not import into ESS. It would be great if the name was updated to use "TA-" for auto import in ESS.