We need to override a tags & eventtypes from one of the official TA (eg `eventtype=ssh_authentication`).
eventtypes.conf have `disabled=true` at a stanza level, but tags.conf does NOT have such ability as per spec.
Any chance to disable entire stanza of tags.conf?
What we are looking for is something like below in tags.conf
[eventtype=ssh_authentication]
disabled=true
PS: If we don't do this, there is a "WARN" while doing Splunk search in GUI saying "unable to find eventtype=xxxxx".
↧