NOTE for 6.2(+) - Version 1.3 addresses the issue but otherwise you need to adjust a couple macros based on changes Splunk has made. Specifically props_config_lookup, props_score_raw, & stitch_props_trans. The section is the following eval
| eval sourcetype = if(isnull(sourcetype), title, sourcetype)
should be changed to something like this - previous Splunk 6x versions could probably work with just the len statement but left isnull in just in case
| eval sourcetype = if(isnull(sourcetype) OR len(sourcetype)<1, title, sourcetype)
Whereas apps like Splunk on Splunk are designed to help the Splunk admin understand what is happening with their deployment at an engine level, this app is designed to help the Splunk admin understand and assess the maturity of their deployment at a data level.
Splunk 6.x is required due to frequently used internal REST searches, use of the foreach command, and the changes to simple xml.
No new indices are created though there are 3 scheduled searches which ship enabled. Once the app is installed it might take a few hours before a few of the panels will show data. As everyone's environment is different from both a data and hardware perspective there are 2 dashboards under Knowledge Management to help you assess the coverage these searches provide relative to search frequency and length. You may find the searches need to be tweaked.
The props and field extraction score methodologies are documented in the app. At a high level there are 7 props settings that should be assigned to each sourcetype to help Splunk onboard your data - this app looks for their presence. On the field extraction side a comparison is made between the combined byte length of fields to the byte length of _raw. This is admittedly not a perfect science; however, it allows you to make a high level judgment on how much field definition is taking place on a sourcetype by sourcetype basis.
Adjusted several rest queries to account for a 6.2 Splunk change to "null" values in fields (note documentation)
Added a Sourcetyping section in Data Management (pretty cool stuff here)
Moved away from the metrics logs in several dashboards as elements just aren't accurate for anything but smaller environments. These dashboards now use the summary data created by the app. This means if you are a new user there are some dashboards that won't populate until the queries have run at least once.
Tried to upload a tarball but Splunk had trouble extracting it for some reason so I extracted it on my Mac and compressed from there as a zip /shrug
* Fixed a couple spelling and space issues
* Changed a couple hard coded searches to use the summary index macro
* Removed the stash sourcetype (default sourcetype for data created within Splunk i.e. summary searches) from the props score and Sourcetype Score List dashboard.
* Took the data taxonomy csv out of the app so that if you've made changes it won't be over written. There is now a seed csv so that if this is the first time you are using the app you can run a query to move the data into the correct csv.
* Fixed issue with build sourcetype_field.csv query
* Updated issue description case statement for field tokens not defined in associated regex
* Added dashboard leveraging timestartpos and timeendpos fields in relation to defining TIME_PREFIX and MAX_TIMESTAMP_LOOKAHEAD
Splunk AppInspect evaluates Splunk apps against a set of Splunk-defined criteria to assess the validity and security of an app package and components.
As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 10GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps and add-ons from Splunk, our partners and our community. Find an app or add-on for most any data source and user need, or simply create your own with help from our developer portal.