All Apps and Add-ons

Re-using a scheduled search in another app

yoho
Contributor

I'd like to re-use a scheduled search already defined in an application (SplunkforBlueCoat app) into my own app (let's call it "myownapp") and my own views.

Scheduled search in the BlueCoat app is defined as such (in the "default" dir), it uses a macro :

[BlueCoat - Stats - Collect]
cron_schedule = */5 * * * *
dispatch.earliest_time = -5m@m
displayview = flashtimeline
enableSched = 1
realtime_schedule = 0
request.ui_dispatch_view = flashtimeline
search = `bcoat_request` | table _time action bytes_in bytes_out category cs_uri_path cs_uri_scheme dest_host filter_result http_content_type http_referrer http_user_agent src_ip src_user x_bluecoat_application_name x_virus_id | tscollect namespace=bluecoat_stats
disabled = 0

I don't like to copy/paste code or config and I prefer to re-use it. So my plan is to :

  1. Make this search "global". I did this by adding 2 stanzas into local.meta for the SplunkforBlueCoat app :
  2. Disable the search (and its schedule) from the SplunforBlueCoat app
  3. Enable this search (and its schedule) from the myownapp app

I realized this by creating SplunkforBluecoat/metadata/local.meta:

[savedsearches]
export = system
[macros]
export = system

...and creating SplunkforBluecoat/local/savedsearches.conf:

[BlueCoat - Stats - Collect]
disabled = 1

...and creating myownapp/default/savedsearches.conf:

[BlueCoat - Stats - Collect]
disabled = 0

After restarting Splunk, the result in the manager GUI is what I expect (global knowledge objects, disabled search in the SplunkforBlueCoat app, enabled search in myownapp, definition of the knowledge objects appears to be fine).

However, the scheduled search doesn't run (it just doesn't start) and indeed doesn't appear in the job GUI.

Any idea why ? How is the job scheduler building the list of scheduled searches ?

0 Karma
1 Solution

yoho
Contributor

Finally found it !

So even if the schedule appeared not to be disabled by using the btool command above (enableSched value was 1), it actually was. I noticed it because the GUI did not display any schedule time for myownapp's search (even if the search itself was enabled).

So solution is to add to myownapp/default/savedsearches.conf under [BlueCoat - Stats - Collect] stanza:

enableSched = 1

View solution in original post

0 Karma

yoho
Contributor

Finally found it !

So even if the schedule appeared not to be disabled by using the btool command above (enableSched value was 1), it actually was. I noticed it because the GUI did not display any schedule time for myownapp's search (even if the search itself was enabled).

So solution is to add to myownapp/default/savedsearches.conf under [BlueCoat - Stats - Collect] stanza:

enableSched = 1
0 Karma

yoho
Contributor

Forgot to mention one important thing: the reason why I'd like to run it in myownapp's context is because I override macro bcoat_request.

Not sure it's linked to precedence. If I run the splunk btool command from alacercogitatus, I see the following line :

/opt/splunk/etc/apps/myownapp/default/savedsearches.conf            disabled = 0
0 Karma

alacercogitatus
SplunkTrust
SplunkTrust

This looks like precedence of Folders. They will follow precedence so it's disabled.

splunk cmd btool --debug savedsearches list "BlueCoat - Stats - Collect"

This will show you what settings are applied from where.

I don't think you need to copy it at all. Just set permissions global, and it's available for all apps.

0 Karma

yoho
Contributor

It's not possible to change the context of an existing search in the GUI, the only thing you can do is cloning. But I don't like copy/paste stuff for the simple reason that once SplunkforBlueCoat app will be updated myownapp's search won't be.

0 Karma

alacercogitatus
SplunkTrust
SplunkTrust

The configuration stacks. So if it says disabled = 0 then it is not disabled. The scheduler looks exactly like the btool outputs. If you want it in the myownapp context, move it from the BlueCoat app to the myownapp in the GUI.

0 Karma

yoho
Contributor

Running the btool command you provide doesn't help (see my comment above).

Anyway, if you run it like this, I suppose the btool command with use the global context, but is it the one used by the scheduler ?

0 Karma

yoho
Contributor

If you set permissions to global, yes it's available as a search but it's only scheduled in the original app's context.

I forgot to mention I would like to run it in my own app's context because I override the macro bcoat_request.

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...