Splunk package CLI is not bundling my saved search...

mumblingsages · ‎08-19-2017

So I have a nice little application created in my development splunk instance. I'd like to package it with the splunk package CLI and move the application to my integration/qa splunk instance so the QA team can test it. Problem I'm running into is that when I run splunk package command from the command line, it's not including all the saved searches (reports) or my custom event types into the resultant package. I followed the instructions for packaging and publishing located here. But it just doesn't seem to pick those up.

I have verified that both the saved searches and event types belong to the application. So I'm completely befuddled as to what is wrong. I really don't like the idea of manually recreating all of those!

[EDIT]
Looks like my link didn't work: http://dev.splunk.com/view/webframework-developapps/SP-CAAAEMY

ptang_splunk · ‎08-22-2017

Hi @mumblingsages,

Could you check if your reports, eventtypes or any other knowledge objects are under your app folder: $SPLUNK_HOME/etc/apps/your_app_name/default or /local?

My first thought would be to verify if your knowledge objects are not Private and they need to be shared to apps. In such case, it won't be part of the package as private objects are under $SPLUNK_HOME/etc/users/...

However, please let me know if that is the case.

Thanks,

Philippe

Splunk package CLI is not bundling my saved searches or event types. Why?

Developer Spotlight with Brett Adams

Index This | What can you do to make 55,555 equal 500?

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...