Splunk Search

Extracting extracted, selected fields to share

New Member

Given I have some input with a bunch of fields that are not automatically extracted and I used the Field Extractor in the web interface to label the fields and I've ticked the box to select the fields I want to display.

Now that I've done that configuration, how can I take that configuration and share it with folks at other companies who also use Splunk to ingest the same data? What I think I mean is, "how can I create a sourcetype for my data?"

I understand I could write my own regexes and put them in props.conf, but if I can use the UI to do the hard part, why not? Right?

And I'm sure I'm a little ahead of myself here, but my end goal would be to put this in an app to share with other Splunk users that way. Just in case there's anything else that I should consider here with that goal in mind.

Thanks for any help.

This question seems pretty basic, I know, but I'm such a n00b with Splunk I'm not really sure how to ask it.

0 Karma

Esteemed Legend

Your data already has a sourcetype and your field extractions are already saved you should have been asked to give them names). You can search for them by going to Settings -> All configurations and searching for them by name. You can then click on each one's Permissions link and select the All Apps radio button and check Read for Everyone. That should be all that it takes for other people to see the same search-time extractions that you do. As far as the set of fields that you have checkmarked in the Field selector, this is part of your viewstate and that is not shareable in any practical way but you can certainly read up on it now that you have a name for where it is stored. Anyone who forwards data in and uses the same sourcetype that you used, will have the same things done to those events that are being done to yours.

0 Karma

New Member

Thanks, Woodcock. Perhaps I wasn't clear: I don't want to share with other Splunk users on the same system, I want to share with folks at other companies who have their own Splunk installations which ingest this kind of data.

(if I can edit my question to clarify, I'll do that now)

0 Karma

Esteemed Legend

Right; I added some detail to my answer but I will add some more here. To share, you create a Splunk application and bundle up your configurations there. In your case, you should have an inputs.conf file and a props.conf file:

http://wiki.splunk.com/Community:Creating_your_first_application

0 Karma

New Member

Ok, thanks. This link on creating an application looks to be very helpful.

So I can't benefit from the automagical regexification done via the UI to build my props.conf.

Oh well (= ... I had to write my own inputs.conf too (which is another post, but the reason why the incoming data has a "sourctype" of tcp-raw

0 Karma

Esteemed Legend

No, the UI stuff you created is saved into the appropriate whatever.conf files; you just have to root them out from the CLI (or reconstruct them).

0 Karma