Creating an app is pretty simple, at least once you have the hang of it. Start with a Linux directory called 'myorg_httpevent_props'. Replace "myorg" with an abbreviation of your company name. There's nothing special about this name so you can use any name that doesn't conflict with another Splunk app (globally). Create a subdirectory called "default" (it must be exactly that). Within that directory, create three files: app.conf, props.conf, and transforms.conf. The latter two will hold your configs from the OP. The app. conf file tells Splunk about the app and will look something like this: [install]
state = enabled
[package]
check_for_updates = false
# The value below must match the directory name
id = myorg_httpevents_props
[ui]
is_visible = false
[launcher]
version = 1.0.0
author = <your name>
description = <some helpful text> chmod the flles with 644 and then put them into a compressed tarball. Upload the tarball to your Splunk Cloud search head and wait for it to be vetted. If vetting fails, read the report, make the necessary changes, and upload again. (Delete the old upload before re-uploading.) Once the app passes vetting you can install it.
... View more
