I am in the middle of the development of the XXXX Splunk App, which is built on top the TA XXXX I built before. Obviously I have a sourcetype in this app called XXXX-CEF, thus that all the XXXX events parsed with this sourcetype are parsed the right way. This means I can only see the fields of my sourcetype in the search of my XXXX Splunk App.
After finishing building searches just for my XXXX events, I started creating searches also including events parsed by a different sourcetype using still the search of my XXXX Splunk App. For some reason my XXXX Splunk App only has the fields of my XXXX sourcetype, and if I want to search a different index with events parsed with a different sourcetype, I can’t search for the fields of this different sourcetype in my app. Only the official Splunk “Search and Reporting App” works for that. Is this right? Is there any way to make my XXXX App include all the fields of all the sourcetype used by the Splunk instance?
Thanks for the help,
↧