Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Define a variable/constant in configuration/setup file for app

mikaelbje
Motivator
‎04-06-2013 12:58 AM

I am building a few apps and have users requesting an easy way to change the default index name the app searches through. Is there a way to define this variable/constant in just one place and use it in indexes.conf and all my saved searches so that users don't have to search and replace the default index=name in all the files? I figure using a macro I could achieve this, but the macro wouldn't expand in indexes.conf so that file would still have to be manually edited with the right index name.

Something like a variables.conf/constants.conf file for each app would be excellent to set specific vars/constants to be reused in searches etc. for the scope of the app.

Tags (2)
0 Karma
Reply

rsennett_splunk
Splunk Employee
Splunk Employee
‎04-06-2013 10:06 AM

Your app configuration UI can create and manage indexes through the REST API

http://docs.splunk.com/Documentation/Splunk/5.0.2/RESTAPI/RESTindex

With Splunk... the answer is always "YES!". It just might require more regex than you're prepared for!
0 Karma
Reply

mikaelbje
Motivator
‎10-16-2013 12:01 AM

Sorry for my very late reply. Your suggestion is a viable option for an app that has a UI, but for a TA users still need to edit inputs.conf and transforms.conf to set the specific variable. If I could just reference that variable from these files that would solve it, but there is no place to set a variable like this. I.e. CISCO_IOS_INDEX=ios
I'd then like to reference $CISCO_IOS_INDEX in inputs.conf and transforms.conf

0 Karma
Reply

mikaelbje
Motivator
‎04-06-2013 03:03 AM

Hi Kristian,

Well, this is an app that I want to fit several customers. Some want to have their own index name, others want the default

All my searches specifically search in the default "ios" index. This "index=ios" string is defined in the saved searches and [ios] is defined in the indexes.conf file that I distribute with the app. Some users may want to put all logs in an index called i.e. "network" instead, and to accomodate their need I would like to define the index name one place.

I could of course remove the whole index=ios search, but I want to specifically search in the right index

0 Karma
Reply

kristian_kolb
Ultra Champion
‎04-06-2013 02:48 AM

I don't think that you want to have users change indexes.conf, since that is where the indexes are defined (i.e. not related to how they are searched).

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...