All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Splunk Add-on Builder: How does it determine which sourcetypes are available when adding sample data from Splunk?

masonmorales
Influencer
‎02-17-2017 10:41 AM

I've noticed that the vast majority of sourcetypes that I have indexed are not appearing in the "Select a sourcetype" drop-down menu when trying to add data from Splunk in the "Add Sample Data" step. How is the TA looking for sourcetypes to populate the drop-down menu with?

0 Karma
Reply

ehaddad_splunk
Splunk Employee
Splunk Employee
‎02-17-2017 10:54 AM

Sourcetypes are tied to data collection.
1- If it is mod input (built in Addon builder) it automatically shows on the list
2- If it is data indexed by Splunk core such HEC or syslog, you will need to import it by clicking on "import from splunk" button under "add sample data tab". Once you have imported it, it becomes visible to you in Addon builder so that you can apply knowledge ( field extraction and cim mapping) as part of the add-on
3- if you want to add file monitoring in addon, click on "upload from file", it becomes visible to you in Addon builder so that you can apply knowledge ( field extraction and cim mapping) as part of the add-on

This has become a common question we get, we will improve the UX to make it more clear in furture but hope this answers your question.

0 Karma
Reply

masonmorales
Influencer
‎02-17-2017 10:59 AM

Okay, so the problem is, I'm doing Step 2 and the sourcetype is not visible in the addon builder, so I'm not able to select it and move onto the Extract Fields step. I've tested this on both Linux+Windows installs of Splunk v6.5.2 with the same problem. Is this a bug then?

0 Karma
Reply

ehaddad_splunk
Splunk Employee
Splunk Employee
‎02-17-2017 11:00 AM

could be a bug. One thing i forgot to mention, make sure you have data in that sourcetype. If teh sourcetype has no data in the last week or month (forgot which one) then it wont be visible. Can you confirm the same?

0 Karma
Reply

masonmorales
Influencer
‎02-17-2017 11:04 AM

There are events in the past 24 hours with a matching sourcetype. The sourcetype does not appear in the "Select a sourcetype" drop-down menu on the Add Sample Data page after clicking the "Add From Splunk" button. I am using v2.0.0 of the addon.

0 Karma
Reply

ehaddad_splunk
Splunk Employee
Splunk Employee
‎02-17-2017 11:08 AM

ok sounds like a bug to me. We are releasing 2.1.0 very soon. I would try that version first and if problem persists, please file a bug. I will send you an email offline with early access.

0 Karma
Reply

masonmorales
Influencer
‎02-17-2017 03:44 PM

I have the same problem in 2.1.0. I'll open a support case.

0 Karma
Reply

damianpadden
Observer
‎03-25-2024 03:59 AM

Did u get to the solution for this. Running version 4.4 and have the exact issue.

 

Thanks

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...