![]() ![]() A TA would be able to translate the field names provided by a vendor to field names expected by your users, as well as recognizing and tagging specific event types. In practice, many TA’s also include data collection inputs. This includes and configures knowledge management objects. It would make sense to include a binary folder, and some dashboards to do setup and configuration with.In practice, these are rare and the functionality is usually stuffed into a TA. This includes and configures data collection inputs only. Here are the possible types: IA: Input Add-on If you want to follow the best possible practice, buy Kyle Smith’s book and read that. However, these rules are breached as often as they are observed, and Splunk themselves are the most likely to ignore all of this guidance. ![]() Since I helped to write these definitions in the first place, I feel confident in stating what they should be. Right now, it’s here, but don’t be surprised if that breaks: Their definitions are not entirely well established, and have come and gone in official documentation. This is where the Splexicon definitions start and stop. The Add-on refers to administrator-only components. The App refers to the visible front-end app that a user will interact with. This is why you see the terms “App” and “Add-on” in Splunk. If you want to distribute components in a large environment, if you want to depend on shared components, if you want to avoid huge multi-function monoliths, then you start dividing apps into different types. If you just want to put some stuff together and run it on your laptop, you’re done at this point. You can put anything in them: code, knowledge management configuration, dashboard elements, libraries, binaries, images, whatever. They’re containers that you put splunk objects into. Splunk apps are folders in $SPLUNK_HOME/etc/apps. The confusion roots back to fundamental disagreements on approach that are encoded into every product the company has ever shipped, so it’s tough to recommend a meaningful change. If you’re still confused… it’s not just you. What are Splunk Apps and Add-ons? What’s the difference? All the other suggestions here are a little tangential to your original question.Note, this is old stuff now… but legacy lives on even when new solutions become available. If they don't, you should probably file a support ticket. In the end, your searches should show up in the Manager - if you are logged in as the proper user (or admin) and you have selected the proper app and options in the Manager. In that case, you will find the files under $SPLUNK_HOME/etc/users/USERNAME/YOURAPP/* Here is more info about the config files.įinally - if you can't find the nf file in the app folders, or if it doesn't contain the searches you expect, it may be because the app and/or the searches are private to the user that created them. You can edit these files directly, but you should make a backup copy of the file before you change it. If any settings conflict, the local version will override the default. When the same file appears in both the local and the default folders, Splunk combines the two. $SPLUNK_HOME/etc/apps/YOURAPP/default/data/ui/nav/default.xml $SPLUNK_HOME/etc/apps/YOURAPP/metadata/ta $SPLUNK_HOME/etc/apps/YOURAPP/local/app.conf Here are the files that affect your application and search visibility: $SPLUNK_HOME/etc/apps/YOURAPP/default/app.conf ![]() If you can't figure it out in the Splunk Manager, you can look at the underlying configuration files. There is also a checkbox for "Show only objects created in this app context." And, what user account did you use to login to Splunk - was it the same one that you used to create the app and the saved searches? ![]() But are you sure that you have selected the proper app in the Manager? There are two selectors at the top of the page: App Context and Owner. This is perhaps a dumb suggestion if so, I apologize. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |