https://community.splunk.com/t5/Splunk-Enterprise/Search-Time-extraction-not-working/m-p/577899#M10917 Are you running SPL on your app (my_app) context or in search app? If you want that those extractions are working somewhere else you must add that information to meta/default.meta inside our app.<BR /><BR />And you have done restart or at least reload on SH side after deployment?<BR /><BR />Also I think that you are not needing " in a FIELDS as separating field names.<BR /><BR />r. Ismo Thu, 09 Dec 2021 13:54:51 GMT isoutamo 2021-12-09T13:54:51Z https://community.splunk.com/t5/Splunk-Enterprise/Search-Time-extraction-not-working/m-p/577834#M10911 <P>Hi,</P><P>&nbsp;I am currently working in a new environment where I am trying to do field extraction based of pipe delimiter.</P><P>1) A new app (say my_app) with only inputs.conf is pushed onto the target uf through the deployment server.</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><LI-CODE lang="markup">inputs.conf: [monitor:///path1/file1] index=my_index soyrcetype=my_st</LI-CODE><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>2) Data is getting ingested and the requirement is to do field extraction on all the events separated by pipe delimiter (12345|2021-09-12 11:12:34 345|INFO|blah|blah|blah blah)</P><P>My approach followed</P><P>1) Create a new app (plain folder my_app) on my deployer and push it to the search heads with below conf files</P><P>I felt it was simple to achieve and did this. somehow it's not working. Did I miss any step to link the app on forwarder and the shc?</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><LI-CODE lang="markup">ls my_app/default/ app.conf props.conf transforms.conf props.conf [my_st] REPORT-getfields = getfields transforms.conf [getfields] DELIMS = "|" FIELDS = "thread_id","timestamp","loglevel","log_tag","message"</LI-CODE><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Thu, 09 Dec 2021 00:52:46 GMT https://community.splunk.com/t5/Splunk-Enterprise/Search-Time-extraction-not-working/m-p/577834#M10911 nareshinsvu 2021-12-09T00:52:46Z https://community.splunk.com/t5/Splunk-Enterprise/Search-Time-extraction-not-working/m-p/577899#M10917 Are you running SPL on your app (my_app) context or in search app? If you want that those extractions are working somewhere else you must add that information to meta/default.meta inside our app.<BR /><BR />And you have done restart or at least reload on SH side after deployment?<BR /><BR />Also I think that you are not needing " in a FIELDS as separating field names.<BR /><BR />r. Ismo Thu, 09 Dec 2021 13:54:51 GMT https://community.splunk.com/t5/Splunk-Enterprise/Search-Time-extraction-not-working/m-p/577899#M10917 isoutamo 2021-12-09T13:54:51Z https://community.splunk.com/t5/Splunk-Enterprise/Search-Time-extraction-not-working/m-p/577943#M10920 <P>Just to make sure - that "soyrcetype" is just a typo on forums, not in your actual config?</P> Thu, 09 Dec 2021 21:00:10 GMT https://community.splunk.com/t5/Splunk-Enterprise/Search-Time-extraction-not-working/m-p/577943#M10920 PickleRick 2021-12-09T21:00:10Z https://community.splunk.com/t5/Splunk-Enterprise/Search-Time-extraction-not-working/m-p/577953#M10925 <P>Yes, sourcetypes and indexes are just examples in this forum. My config doesnt have typos</P> Thu, 09 Dec 2021 22:18:33 GMT https://community.splunk.com/t5/Splunk-Enterprise/Search-Time-extraction-not-working/m-p/577953#M10925 nareshinsvu 2021-12-09T22:18:33Z https://community.splunk.com/t5/Splunk-Enterprise/Search-Time-extraction-not-working/m-p/577958#M10926 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/214410">@isoutamo</a>&nbsp; - it worked after setting up permissions in default.meta. Thanks for your reply. it worked <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Thu, 09 Dec 2021 23:01:29 GMT https://community.splunk.com/t5/Splunk-Enterprise/Search-Time-extraction-not-working/m-p/577958#M10926 nareshinsvu 2021-12-09T23:01:29Z