topic Re: eval not working in props.conf in Getting Data In

Why does eval search work but eval in the props conf file doesn't creating new field?

nareshinsvu — Thu, 17 Feb 2022 00:19:45 GMT

Hi,

My environment has multiple apps. I got a requirement to default a value to a temp field. While my eval in the search works but eval in the props conf file isn't creating the new field. Please help me troubleshoot.

My conf files are below:

INPUTS ON FORWARDERS: [monitor:///var/log/omega] index=foo_bar_transaction sourcetype=foo_car PROPS ON SHC: [foo_car] EVAL-tempvariable = "Test_Eval" EVAL-datacenter = if(IN(mvindex(split(host,"-"),1),"clc","dkn"),"DANGER",mvindex(split(host,"-"),1)) INDEXER: /opt/splunk/bin/splunk cmd btool props list foo_car --debug /opt/splunk/etc/slave-apps/INFRA_APP_logs/default/props.conf [foo_car] /opt/splunk/etc/system/default/props.conf ADD_EXTRA_TIME_FIELDS = True /opt/splunk/etc/system/default/props.conf ANNOTATE_PUNCT = True /opt/splunk/etc/system/default/props.conf AUTO_KV_JSON = true /opt/splunk/etc/system/default/props.conf BREAK_ONLY_BEFORE = /opt/splunk/etc/system/default/props.conf BREAK_ONLY_BEFORE_DATE = True /opt/splunk/etc/system/default/props.conf CHARSET = UTF-8 /opt/splunk/etc/system/default/props.conf DATETIME_CONFIG = /etc/datetime.xml /opt/splunk/etc/system/default/props.conf DEPTH_LIMIT = 1000 /opt/splunk/etc/system/default/props.conf HEADER_MODE = /opt/splunk/etc/system/default/props.conf LEARN_MODEL = true /opt/splunk/etc/system/default/props.conf LEARN_SOURCETYPE = true /opt/splunk/etc/system/default/props.conf LINE_BREAKER_LOOKBEHIND = 100 /opt/splunk/etc/system/default/props.conf MATCH_LIMIT = 100000 /opt/splunk/etc/system/default/props.conf MAX_DAYS_AGO = 2000 /opt/splunk/etc/system/local/props.conf MAX_DAYS_HENCE = 40 /opt/splunk/etc/system/default/props.conf MAX_DIFF_SECS_AGO = 3600 /opt/splunk/etc/system/default/props.conf MAX_DIFF_SECS_HENCE = 604800 /opt/splunk/etc/system/default/props.conf MAX_EVENTS = 256 /opt/splunk/etc/system/default/props.conf MAX_TIMESTAMP_LOOKAHEAD = 128 /opt/splunk/etc/system/default/props.conf MUST_BREAK_AFTER = /opt/splunk/etc/system/default/props.conf MUST_NOT_BREAK_AFTER = /opt/splunk/etc/system/default/props.conf MUST_NOT_BREAK_BEFORE = /opt/splunk/etc/system/default/props.conf SEGMENTATION = indexing /opt/splunk/etc/system/default/props.conf SEGMENTATION-all = full /opt/splunk/etc/system/default/props.conf SEGMENTATION-inner = inner /opt/splunk/etc/system/default/props.conf SEGMENTATION-outer = outer /opt/splunk/etc/system/default/props.conf SEGMENTATION-raw = none /opt/splunk/etc/system/default/props.conf SEGMENTATION-standard = standard /opt/splunk/etc/system/default/props.conf SHOULD_LINEMERGE = True /opt/splunk/etc/system/default/props.conf TRANSFORMS = /opt/splunk/etc/system/default/props.conf TRUNCATE = 10000 /opt/splunk/etc/system/default/props.conf detect_trailing_nulls = false /opt/splunk/etc/system/default/props.conf maxDist = 100 /opt/splunk/etc/system/default/props.conf priority = /opt/splunk/etc/system/default/props.conf sourcetype =

Re: eval not working in props.conf

isoutamo — Tue, 25 Jan 2022 08:18:41 GMT

If you want add new fields on index time you should use transforms.conf and INGEST_EVAL.

Re: eval not working in props.conf

PickleRick — Tue, 25 Jan 2022 08:36:41 GMT

Do you want this field as a calculated field in search-time or as an indexed field evaluated an ingest time?

Your props.conf definition seems relatively well defined for search-time calculated field. But

1) Does the user you're searching with have proper permissions to the app the field is defined in?

2) Are you sure you're not using fast mode?

Re: eval not working in props.conf

nareshinsvu — Wed, 26 Jan 2022 23:24:22 GMT

I want them at search-time please

Re: eval not working in props.conf

nareshinsvu — Wed, 26 Jan 2022 23:25:15 GMT

1) Does the user you're searching with have proper permissions to the app the field is defined in?

Yes - searching as admin user

2) Are you sure you're not using fast mode?

smart mode

Re: eval not working in props.conf

PickleRick — Thu, 27 Jan 2022 10:24:57 GMT

Then you should check your btool output on search-head, not on indexer.

Re: eval not working in props.conf

nareshinsvu — Wed, 16 Feb 2022 04:48:51 GMT

@PickleRick - your 1) point is valid. I have defined the field extraction inside a custom app. But doing the search from default search app.

How can I just run a search from search app with that sourcetype and get my extracted field. I can see the permissions on that app are read/write to everyone

Re: eval not working in props.conf

isoutamo — Wed, 16 Feb 2022 07:37:24 GMT

If you want to use some KOs (knowledge objects) from individual apps on some other app, then you must change that KO's permission to Global from App (or private). See https://docs.splunk.com/Documentation/Splunk/8.2.4/Knowledge/Manageknowledgeobjectpermissions.You seems to have already RW access to that app so it should be enough that you give globally read permission to this KO.

When you are sharing objects from apps to global you must also check the precedence if/when there are other KOs with same name! My proposal is to take global naming standard into use if you haven't do it yet.

r. Ismo