topic Re: Need help: why my search head is not using the settings in transforms.conf in Getting Data In

Need help: why my search head is not using the settings in transforms.conf

patng_nw — Thu, 17 Jan 2019 03:39:04 GMT

I am migrating from a stand-alone Splunk instance to a Splunk cluster (w/ search-head-cluster + indexer-cluster) and I am hitting this problem.

On my search heads, I have these settings

/opt/splunk/etc/system/local/props.conf:

[altr_web]
KV_MODE = none
category = Web
REPORT-altr_web = REPORT-altr_web

/opt/splunk/etc/apps/search/local/transforms.conf:

[REPORT-altr_web]
DELIMS = "\t"
FIELDS = "ip1","ip2","time","uri","status","execTime","bytes","referer","ua","nwtc","uid","abCookie"

I also verified that these settings are present on my search head with these commands:
$SPLUNK_HOME/bin/splunk btool --app=search transforms list
$SPLUNK_HOME/bin/splunk btool --app=search props list

All these look fine. Then I sent a test log file using a forwarder. However, during my search, I discovered that the transformation specified in transforms.conf didn't happen. (I couldn't see any fields such as ip1, ip2, uri, etc)

To troubleshoot the problem, I use my browser to connect to an indexer UI page, use the UI's Add Data feature, upload the log file directly and specifically picked altr_web as its source type. Again, when I search (on my search head) I still couldn't see any transformation happening.

I restarted my search head, but that didn't help.

What else can I do to troubleshoot this problem?

Updates:
I have resolved the problem. It turns out I need to follow the "2. If you want to migrate custom settings from a default app" part in this doc https://docs.splunk.com/Documentation/Splunk/7.2.3/DistSearch/Migratefromstandalonesearchheads#Migrate_settings_to_a_search_head_cluster in order to migrate the props.conf and transforms.conf settings to the search head. Once I did that, it's working now!

Re: Need help: why my search head is not using the settings in transforms.conf

dkeck — Thu, 17 Jan 2019 09:08:52 GMT

Hi,

I think your are missing a source:: or sourcetype:: in your props.conf.

Re: Need help: why my search head is not using the settings in transforms.conf

harsmarvania57 — Thu, 17 Jan 2019 09:12:12 GMT

For sourcetype you do not need to mention sourcetype:: in props.conf

Re: Need help: why my search head is not using the settings in transforms.conf

harsmarvania57 — Thu, 17 Jan 2019 09:13:55 GMT

Hi,

Can you please provide some sample data (mask any sensitive data) ?

Re: Need help: why my search head is not using the settings in transforms.conf

patng_nw — Fri, 18 Jan 2019 09:32:24 GMT

I have resolved it. See the updates in my post. Thanks to everyone for your suggestion.

Re: Need help: why my search head is not using the settings in transforms.conf

harsmarvania57 — Fri, 18 Jan 2019 13:40:56 GMT

That's great, you can post that update as answer and accept your own answer so that it will help for other community members.

Re: Need help: why my search head is not using the settings in transforms.conf

patng_nw — Fri, 18 Jan 2019 15:35:03 GMT

I have resolved the problem. It turns out I need to follow the "2. If you want to migrate custom settings from a default app" part in this doc https://docs.splunk.com/Documentation/Splunk/7.2.3/DistSearch/Migratefromstandalonesearchheads#Migrate_settings_to_a_search_head_cluster in order to migrate the props.conf and transforms.conf settings to the search head. Once I did that, it's working now!