Splunk Search

Using my custom app with only one sourcetype included, is it possible to search after fields from events with other sourcetypes in the customer app?

alex1895
Path Finder

I am in the middle of the development of the XXXX Splunk App, which is built on top the TA XXXX I built before. Obviously I have a sourcetype in this app called XXXX-CEF, thus that all the XXXX events parsed with this sourcetype are parsed the right way. This means I can only see the fields of my sourcetype in the search of my XXXX Splunk App.

After finishing building searches just for my XXXX events, I started creating searches also including events parsed by a different sourcetype using still the search of my XXXX Splunk App. For some reason my XXXX Splunk App only has the fields of my XXXX sourcetype, and if I want to search a different index with events parsed with a different sourcetype, I can’t search for the fields of this different sourcetype in my app. Only the official Splunk “Search and Reporting App” works for that. Is this right? Is there any way to make my XXXX App include all the fields of all the sourcetype used by the Splunk instance?

Thanks for the help,

0 Karma
1 Solution

gtriSplunk
Path Finder

If you plan on publishing the app or distributing it you need to either package the props/transforms that are needed to make these fields or include a requirement that they install the other TAs that include the extractions. The only way to make the extractions work within your XXXX Splunk App on your search head is to find the extractions and change the permissions to "global" instead of "local". If the extraction is "local" to the "Search and Reporting App" then you won't be able to see it in your XXXX Splunk App. Take a look at the image below, these two extractions are saved in the "search" app, but are also global so other apps can use them.

alt text

Hope this helps,

GTRI Splunk Team!

View solution in original post

gtriSplunk
Path Finder

If you plan on publishing the app or distributing it you need to either package the props/transforms that are needed to make these fields or include a requirement that they install the other TAs that include the extractions. The only way to make the extractions work within your XXXX Splunk App on your search head is to find the extractions and change the permissions to "global" instead of "local". If the extraction is "local" to the "Search and Reporting App" then you won't be able to see it in your XXXX Splunk App. Take a look at the image below, these two extractions are saved in the "search" app, but are also global so other apps can use them.

alt text

Hope this helps,

GTRI Splunk Team!

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...