Splunk package CLI is not bundling my saved search...

mumblingsages · ‎08-19-2017

So I have a nice little application created in my development splunk instance. I'd like to package it with the splunk package CLI and move the application to my integration/qa splunk instance so the QA team can test it. Problem I'm running into is that when I run splunk package command from the command line, it's not including all the saved searches (reports) or my custom event types into the resultant package. I followed the instructions for packaging and publishing located here. But it just doesn't seem to pick those up.

I have verified that both the saved searches and event types belong to the application. So I'm completely befuddled as to what is wrong. I really don't like the idea of manually recreating all of those!

[EDIT]
Looks like my link didn't work: http://dev.splunk.com/view/webframework-developapps/SP-CAAAEMY

ptang_splunk · ‎08-22-2017

Hi @mumblingsages,

Could you check if your reports, eventtypes or any other knowledge objects are under your app folder: $SPLUNK_HOME/etc/apps/your_app_name/default or /local?

My first thought would be to verify if your knowledge objects are not Private and they need to be shared to apps. In such case, it won't be part of the package as private objects are under $SPLUNK_HOME/etc/users/...

However, please let me know if that is the case.

Thanks,

Philippe

Splunk package CLI is not bundling my saved searches or event types. Why?

Modern way of developing distributed application using OTel

Enterprise Security Content Update (ESCU) | New Releases

Archived Metrics Now Available for APAC and EMEA realms