Splunk Search

Define a variable/constant in configuration/setup file for app

mikaelbje
Motivator

I am building a few apps and have users requesting an easy way to change the default index name the app searches through. Is there a way to define this variable/constant in just one place and use it in indexes.conf and all my saved searches so that users don't have to search and replace the default index=name in all the files? I figure using a macro I could achieve this, but the macro wouldn't expand in indexes.conf so that file would still have to be manually edited with the right index name.

Something like a variables.conf/constants.conf file for each app would be excellent to set specific vars/constants to be reused in searches etc. for the scope of the app.

Tags (2)
0 Karma

rsennett_splunk
Splunk Employee
Splunk Employee

Your app configuration UI can create and manage indexes through the REST API

http://docs.splunk.com/Documentation/Splunk/5.0.2/RESTAPI/RESTindex

With Splunk... the answer is always "YES!". It just might require more regex than you're prepared for!
0 Karma

mikaelbje
Motivator

Sorry for my very late reply. Your suggestion is a viable option for an app that has a UI, but for a TA users still need to edit inputs.conf and transforms.conf to set the specific variable. If I could just reference that variable from these files that would solve it, but there is no place to set a variable like this. I.e. CISCO_IOS_INDEX=ios
I'd then like to reference $CISCO_IOS_INDEX in inputs.conf and transforms.conf

0 Karma

mikaelbje
Motivator

Hi Kristian,

Well, this is an app that I want to fit several customers. Some want to have their own index name, others want the default

All my searches specifically search in the default "ios" index. This "index=ios" string is defined in the saved searches and [ios] is defined in the indexes.conf file that I distribute with the app. Some users may want to put all logs in an index called i.e. "network" instead, and to accomodate their need I would like to define the index name one place.

I could of course remove the whole index=ios search, but I want to specifically search in the right index

0 Karma

kristian_kolb
Ultra Champion

I don't think that you want to have users change indexes.conf, since that is where the indexes are defined (i.e. not related to how they are searched).

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...