I'm not aware of a step-by-step tutorial for creating apps, but it's pretty simple.  The hardest part may be getting the app to pass vetting by Splunk Cloud.

Start by creating a directory for your app.  For example, $SPLUNK_HOME/etc/apps/my_app/default.  You can change "my_app" to anything you like, but leave the rest of the path unchanged.

Create a props.conf file in the directory.  Add content to that file as necessary to parse your data.  If you add any transforms, be sure to create a transforms.conf file in the same directory.

Create an app.conf file in the directory.  Populate it as specified at https://dev.splunk.com/enterprise/reference/appinspect/appinspectcheck#Appconf-standards

Package the app using tar (or equivalent command) to create a .tgz file.  Do not perform this step on Windows because the file permissions will not be saved correctly.

Upload the app to Splunk Cloud and review the vetting results.  Update the app to correct any failures reported.  Repeat this step until there are no reported failures.

Install the app.

Hi
Would you be able to set up an app or custom parser for me. 
Thanks...

I cannot do that.  That's a job for Splunk Professional Services.

@richgalloway 

Atleast pls guide me steps so that I can work on it.

• Is it an easy to do ?
•  

Hi @AL3Z ... As said by Rich's reply, the Splunk App or Add-on building can be an easy task if some development experience you got. 

maybe, if you are really interested, you could learn it. most apps / add-ons are simple and easy. 

I went to the link you provided, looks good. give it a try and update us your views, maybe we can suggest you something, thanks. 

...

Hi @AL3Z .. Could you pls edit the sample log(remove all important things like ip address, usernames, any sensitive info), thanks. 

the props and transforms... it requires some homework from your side. I will try my best to create and suggest you back, thanks. 

Hi, @inventsekar ,

Can you pls create a few fields so that I can create a remaining fields ..

Thanks

Example field extractions in props.conf look like this

EXTRACT-action = Action: \[(?<action>[^\]]+)\]
EXTRACT-user = User: (?<user>\S+)

What follows the = is a regular expression very much like what is used with the rex command.  With these examples and a little experimentation in regex101.com you should be able to extract the remaining fields.

If you have troubles, please post the field you're trying to extract and the command you tried.

....

Change the name of a field using the rename command.

| rename cs4 as suser_display, cs3 as folder

You can use SEDCMD settings in props.conf to remove unwanted fields from events.

[mysourcetype]
SEDCMD-cs2Label = s/cs2Label=Group or User//

Hi @richgalloway ,

How we can test it is parsing or not with out installation of the  app?

Can we create a new field 1. user 

2. Group according to the field values as mentioned above.

Thanks...

To test parsing you can use regex101.com or use the rex command in a search window.

| rex mode=sed "<<sed string to test>>"

Creating a User and/or Group field would be a challenge since the cs2 field could contain either a user or a group name and Splunk has no way to know which.

Hi @richgalloway ,

The user naming convention look like firstname last name eg:  samuel raj , jhony walker etc. This should be in the user field and  group naming convention look like Secret Server Linux Server , Secret Server Windows Server etc. and this should be in the group fields, how we can achieve?

Thanks..


                                                                     

Again, the cs2 field can contain either a user name or a group name.  Users and groups have very similar naming conventions so I don't see how Splunk can correctly determine if a given cs2 value is a user or a group.

Unless, that is, assumptions can be made about user or group names.  For example, if a group name always begins with "Secret Server".

| eval group = if(match(cs2, "^Secret Server"), cs2, null())
| eval user = if(match(cs2, "^Secret Server"), null(), cs2)

Hi @richgalloway ,

This eval group and eval user stanza have to be in the transforms.conf right ?
thanks

The eval examples I provided yesterday are for SPL queries.  They can be modified for props.conf files, however.

@richgalloway ,

How we can modify for props.conf ?
thanks

What have you tried so far?

These two eval commands

| eval group = if(match(cs2, "^Secret Server"), cs2, null())
| eval user = if(match(cs2, "^Secret Server"), null(), cs2)

Become these two EVAL statements in props.conf

EVAL-group = if(match(cs2, "^Secret Server"), cs2, null())
EVAL-user = if(match(cs2, "^Secret Server"), null(), cs2)

Assuming, that is, the cs2 field is already extracted.

See https://docs.splunk.com/Documentation/Splunk/9.1.1/Admin/Propsconf#Field_extraction_configuration