use eventtype instead of sourcetype without explicit index #14
Comments
|
Oh yeah, I can definitely do that. I'll plan for it in the next release. |
|
Thanks a lot |
|
Wouldn't it be better to use a search macro? I've found the pattern used in the Splunk App for AWS to work quite well with custom indexes, where they have a macro for the index and then a macro for the sourcetype that references the index macro. Macro Name Definition Then replace any sourcetype="web_ping" with the As a user then I just override the web-ping-index macro definition with my custom index name and everything works. |
|
My plan was actually to use a macro. BTW: I have this almost complete, should be done very soon. |
|
That is a great news. Thanks for your work. |
|
This is now supported in version 2.6. I put a link to the macro at the bottom of the setup page. The macro is used in both the dashboards as well as the saved searches. |
|
I see you have made a number of commits since your released 2.6 to Splunk base. Do we need to wait for a new release? |
|
@mgholls: version 2.6 is the latest. I see any commits on this project after I released it (although I did on another project). |
Hello,
Your app is great but it makes the wrong assumption that the index containing webmon events will be searched by default. In my environment, for performance reasons, I enforce explicit usage of index=XXX in any search.
So each time you make a new release I have to edit your app to add missing index= to each dashboard, saved search (and I even found one in JS code :)
To make my life easier, would it be possible to create an eventtype equals to sourcetype="web_ping" and use everywhere instead.
This way I could easily make a single change to deal with my environment.
Thanks.
The text was updated successfully, but these errors were encountered: