Given I have some input with a bunch of fields that are not automatically extracted and I used the Field Extractor in the web interface to label the fields and I've ticked the box to select the fields I want to display.
Now that I've done that configuration, how can I take that configuration and share it with folks at other companies who also use Splunk to ingest the same data? What I think I mean is, "how can I create a sourcetype for my data?"
I understand I could write my own regexes and put them in props.conf, but if I can use the UI to do the hard part, why not? Right?
And I'm sure I'm a little ahead of myself here, but my end goal would be to put this in an app to share with other Splunk users that way. Just in case there's anything else that I should consider here with that goal in mind.
Thanks for any help.
This question seems pretty basic, I know, but I'm such a n00b with Splunk I'm not really sure how to ask it.
Your data already has a
sourcetype and your field extractions are already saved you should have been asked to give them names). You can search for them by going to
All configurations and searching for them by name. You can then click on each one's
Permissions link and select the
All Apps radio button and check
Everyone. That should be all that it takes for other people to see the same search-time extractions that you do. As far as the set of fields that you have checkmarked in the
Field selector, this is part of your
viewstate and that is not shareable in any practical way but you can certainly read up on it now that you have a name for where it is stored. Anyone who forwards data in and uses the same
sourcetype that you used, will have the same things done to those events that are being done to yours.
Thanks, Woodcock. Perhaps I wasn't clear: I don't want to share with other Splunk users on the same system, I want to share with folks at other companies who have their own Splunk installations which ingest this kind of data.
(if I can edit my question to clarify, I'll do that now)
Right; I added some detail to my answer but I will add some more here. To share, you create a Splunk
application and bundle up your configurations there. In your case, you should have an
inputs.conf file and a
Ok, thanks. This link on creating an application looks to be very helpful.
So I can't benefit from the automagical regexification done via the UI to build my props.conf.
Oh well (= ... I had to write my own inputs.conf too (which is another post, but the reason why the incoming data has a "sourctype" of tcp-raw