Getting Data In

Unable to find predefined sourcetypes after installing app on new system

arpita_biswas
New Member

Hey Splunk-gurus,

I created an app which parses events from same log file and categorized them into multiple sourcetypes at search-time. It works like a charm in my dev environment, but not when I try it in a new (test) environment!

Note: I did not add stanzas in input.conf as I assumed it wouldn't work when my monitor is same file but sourcetypes different.

Transforms.conf :

[ARP]
DEST_KEY = MetaData:Sourcetype
REGEX = (.*)ARP(.*)
FORMAT = sourcetype::Arp

[UDP]
DEST_KEY = MetaData:Sourcetype
REGEX = (.*)UDP(.*)
FORMAT = sourcetype::Udp

props.conf :

[source::/my_logs_path/.logs]
TRANSFORMS-src_types = ARP, UDP

Any pointers on where I am going wrong? I packaged the app from dev environment to my new environment based on these instructions

0 Karma

arpita_biswas
New Member

Yayy! I got it working

The reason was (and correct me if I am wrong) - As per the instructions for packaging, I had deleted all local files under /local and /metadata . This leads to incomplete information in packaged your_package_name.spl post installation in new environment. Do not delete these files.

When we add a data input from GUI, parameters like path of source and sourcetype are added in /local/inputs.conf. If packaged .spl does not have these local files, it is unable to get the right paths and sourcetypes!

So, to package an app all we need to do is:

$SPLUNK_DEV/etc/apps/framework# ./splunkdj package "your_package_name"

[ This will create a your_package_name.spl in the same directory ]

$SPLUNK_TEST/etc/apps/framework# ./splunkdj install "path/your_package_name.spl"

[ This will extract it in /etc/apps/your_package_name/ ]

Verify all files have been extracted properly (including those under /local) and hopefully you are back on track!

0 Karma

rvany
Communicator

I know this is somewhat older and maybe current workflows were not available four years ago - but:

To package an app, use:
splunk package app <app_name>

This way all files in local are merged with files already in default (IN default). The package then can be found under:
/opt/splunk/etc/system/static/app-packages/<app_name>.spl

and does NOT contain a local directory. Of course you have to install this app in the same location as it already is, to be able to delete the local stuff.

An app you create yourself normally should not contain files under local.

One thing: if you for some reason don't have a default-directory you have to create it prior to package the app - otherwise you will be left with only that localdir.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...