hello, i see 3 ways to achieve it :
a/The first method i suggested indeed needs the eventgen app you mentionned.
if you want your user to use the GUI to upload the sample, i'd simply create a 2nd (standalone) app : that will use eventgen :
mysampleapp-local-eventgen.conf
mysampleapp-samples-mysample.txt
this way your users upload 3 apps : originalapp, eventgen, mysampleapp
b/simply put the file on github, and ask people to use the gui : settings->add data, and select your sourcetype. (this requires a small knowledge on Splunk)
c/without eventgen :
create a simple app containing inputs.conf, your file, indexes.conf, so that it indexes the file when app is installed. the app would contain an indexes.conf to put the file in a new index, and to not mess with their existing indexes. if you do this i recommend you warn the user that this will create a new index, and index the file.:
your app contains : mysimpleapp-local-inputs.conf
[monitor:///$SPLUNK_HOME/etc/apps/mysimpleapp/samples/mysample.txt]
sourcetype=xy
index=toto
disabled=0
(note, if you are willing to do a good job : add two stanza, one for unix, 1 for windows)
for the indexes.conf stanza : simply declare a new index
... View more