Splunk Search

How do I share all of the field extractions defined in a given app with all other apps?

Splunk Employee
Splunk Employee

I need to share all of the field extractions in my app with all of the other apps on the system. What is the most efficient way to do this? I don't want to go into Manager and share the extractions one by one.

1 Solution

Splunk Employee
Splunk Employee

There are two easy ways to make everything in an app globally available:

  1. Conf file: Place the following into the file SPLUNK_HOME/etc/apps/my_app/metadata/local.meta, creating the file if necessary:

    []
    export = system

  2. GUI: Go into Manager, Apps, select the "Permissions" link for the app, and set "Sharing for config file objects" to "all apps". This generates the same file in the same place as the conf file method.

View solution in original post

Splunk Employee
Splunk Employee

The easiest way to do this is by navigating to Manager, then clicking on Apps. Next to the App you're interested in, click the Permissions link. At the bottom of the page, you'll see a set of radio buttons with this text:

Sharing for config file-only objects Set permissions for configurations that have been copied over or added to config files rather than created through the UI. Objects defined in config files only (not in the UI) should appear in

Set this to All apps, and everything you create within this app will be shared.

If you want to share a specific object (saved searches, event types, fields, etc), you can navigate to that object within Manager, for example Manager -> Saved Searches -> Permissions for specific saved search. You will see a similar set of radio buttons. Choose All apps to share your saved search.

Splunk Employee
Splunk Employee

There are two easy ways to make everything in an app globally available:

  1. Conf file: Place the following into the file SPLUNK_HOME/etc/apps/my_app/metadata/local.meta, creating the file if necessary:

    []
    export = system

  2. GUI: Go into Manager, Apps, select the "Permissions" link for the app, and set "Sharing for config file objects" to "all apps". This generates the same file in the same place as the conf file method.

View solution in original post

Splunk Employee
Splunk Employee

if you want to make all field extractions global (instead of everything), you can instead put:

[props]
export=system
[transforms]
export=system

into the file. Then all items configured in that app's props and transforms files (which includes lookups as well as field extractions, but not tags or inputs for example) will be global (other than ones specifically set to a lower sharing level).

Motivator

note, as gkanapathy says, this makes ALL the splunk knowledge items in your app globally available, instead of just the field extractions or whatever.

0 Karma

Motivator

you can do this by moving the stanzas that define them from the props.conf file that is located in that particular app's subdirectory to the same configuration file in $SPLUNK_HOME/etc/local/ (this assumes a search-time field extraction. if you're extracting fields at index time, you'd also move the relevant stanzas from transforms.conf and fields.conf.)

for more details, see http://docs.splunk.com/Documentation/Splunk/5.0/Admin/Apparchitectureandobjectownership

State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!