Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Test props and transforms from Splunk UI

VatsalJagani
SplunkTrust
SplunkTrust
‎06-25-2019 06:32 AM

In Splunk when we add data via uploading file it gives UI to add and verify props.conf properties there, like timestamp extraction. This functionality is very useful while developing Add-on. (see below image)
alt text

I'm looking for functionality (may be via some other App) that can also give functionality to verify transforms.conf parameters also. Optionally if possible for tags.conf, eventtypes.conf parameters.

This functionality is very useful for a Splunk App developer as sometimes we don't have access to back-end.

Preview file
66 KB
0 Karma
Reply

adonio
Ultra Champion
‎06-25-2019 07:29 AM

look for this beta program:
https://www.splunk.com/en_us/software/splunk-next/splunk-data-stream-processor.html

also, there is a product that does what you are looking for ...
will not advertise it here, but if you will look carefully, you can use your favorite search engine to find it

hope it helps

Reply

FrankVl
Ultra Champion
‎06-25-2019 06:39 AM

I'm not aware of such features, but perhaps there is some app for that.

Typically you'd do this by onboarding (sample) data to a non-PROD Splunk instance first, where you would have full control as a developer.

Reply

kmorris_splunk
Splunk Employee
Splunk Employee
‎06-25-2019 07:03 AM

FrankVI's suggestion would be the way to go. If you work at a Splunk customer, you are able to request a 6-month, personalized dev/test license (50GB). It has limitations (single server, one user, etc...), but is great for testing props, transforms, etc... before you start playing around with your production environment.

https://www.splunk.com/blog/2016/11/02/devtest-licenses.html

At the end of the 6 months, you can request another license. When making the request, make sure you use a splunk.com user that is attached to your company email.

0 Karma
Reply

VatsalJagani
SplunkTrust
SplunkTrust
‎06-25-2019 07:10 AM

The issue is not related to licence, I even don't want to index the events. I just want to write props and transforms for sample events.

0 Karma
Reply

VatsalJagani
SplunkTrust
SplunkTrust
‎06-25-2019 07:03 AM

Yeah, Agree with you but still if this feature is there direct on the UI then I would be able to write all configuration at comparatively flash speed.

0 Karma
Reply
Get Updates on the Splunk Community!

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...

[Live Demo] Watch SOC transformation in action with the reimagined Splunk Enterprise ...

Overwhelmed SOC? Splunk ES Has Your Back Tool sprawl, alert fatigue, and endless context switching are making ...

What’s New & Next in Splunk SOAR

Security teams today are dealing with more alerts, more tools, and more pressure than ever.  Join us on ...