I need to share all of the field extractions in my app with all of the other apps on the system. What is the most efficient way to do this? I don't want to go into Manager and share the extractions one by one.
There are two easy ways to make everything in an app globally available:
Conf file: Place the following into the file SPLUNK_HOME/etc/apps/my_app/metadata/local.meta, creating the file if necessary:
[]
export = system
GUI: Go into Manager, Apps, select the "Permissions" link for the app, and set "Sharing for config file objects" to "all apps". This generates the same file in the same place as the conf file method.
The easiest way to do this is by navigating to Manager, then clicking on Apps. Next to the App you're interested in, click the Permissions link. At the bottom of the page, you'll see a set of radio buttons with this text:
Sharing for config file-only objects Set permissions for configurations that have been copied over or added to config files rather than created through the UI. Objects defined in config files only (not in the UI) should appear in
Set this to All apps, and everything you create within this app will be shared.
If you want to share a specific object (saved searches, event types, fields, etc), you can navigate to that object within Manager, for example Manager -> Saved Searches -> Permissions for specific saved search. You will see a similar set of radio buttons. Choose All apps to share your saved search.
There are two easy ways to make everything in an app globally available:
Conf file: Place the following into the file SPLUNK_HOME/etc/apps/my_app/metadata/local.meta, creating the file if necessary:
[]
export = system
GUI: Go into Manager, Apps, select the "Permissions" link for the app, and set "Sharing for config file objects" to "all apps". This generates the same file in the same place as the conf file method.
if you want to make all field extractions global (instead of everything), you can instead put:
[props]
export=system
[transforms]
export=system
into the file. Then all items configured in that app's props and transforms files (which includes lookups as well as field extractions, but not tags or inputs for example) will be global (other than ones specifically set to a lower sharing level).
note, as gkanapathy says, this makes ALL the splunk knowledge items in your app globally available, instead of just the field extractions or whatever.
you can do this by moving the stanzas that define them from the props.conf file that is located in that particular app's subdirectory to the same configuration file in $SPLUNK_HOME/etc/local/ (this assumes a search-time field extraction. if you're extracting fields at index time, you'd also move the relevant stanzas from transforms.conf and fields.conf.)
for more details, see http://docs.splunk.com/Documentation/Splunk/5.0/Admin/Apparchitectureandobjectownership