https://community.splunk.com/t5/Monitoring-Splunk/log-parsing-failing-across-multiple-sourcetypes/m-p/686925#M10161 <P>My post can be disregarded,&nbsp; simple misinformation and not checking what/where people were running their field extractions.&nbsp; (App vs Global permissions on Field and Transform extractions). Cheers nontheless and thanks for the pointers</P> Wed, 08 May 2024 20:03:50 GMT alemack 2024-05-08T20:03:50Z https://community.splunk.com/t5/Monitoring-Splunk/log-parsing-failing-across-multiple-sourcetypes/m-p/686054#M10151 <P>Hi folks,&nbsp; our field parsing/extraction has broken across all sourcetypes (nginx, log4j, aws:elb's, fix,custom formats as well). The most recent infra event we had was an increase of file storage over a month ago.&nbsp; If our error were related to a single sourcetype I would assume I have to review my props.conf file for the associated app and sourcetype,but in this case it appears something more systemic is occurring.</P><P>As someone with limited knowledge of splunk admin,where can I look to narrow my search to the root cause?&nbsp; Trying to RTFM, and am familiar with the "general" log structure but not sure exactly what I'm looking for. (an error/exception on restart directly calling out a props.conf file? An index related exception? idk) Would btool help me confirm if my props.conf files are correctly loading? Is there something would indicate a failure of log parsing?</P><P>&nbsp;</P><P>Splunk Enterprise single-instance 9.2.0.1 on an 8 Core 32GB instance</P><P>&nbsp;</P><P>Cheers</P><P>//A</P> Wed, 01 May 2024 12:13:51 GMT https://community.splunk.com/t5/Monitoring-Splunk/log-parsing-failing-across-multiple-sourcetypes/m-p/686054#M10151 alemack 2024-05-01T12:13:51Z https://community.splunk.com/t5/Monitoring-Splunk/log-parsing-failing-across-multiple-sourcetypes/m-p/686083#M10152 <P><SPAN>It could any number of things. </SPAN></P><P><SPAN>If this was working before - what changed is what you want to find out first and work out where the problem is. </SPAN></P><P><SPAN>I guess if it was working before the props/transforms has either change, overwritten, or removed. </SPAN></P><P><SPAN>Has someone removed the props/transforms apps that those sourcetypes belong to from /opt/splunk/etc/apps. </SPAN></P><P><SPAN>You can check by starting here to find out where those sourcetypes live: </SPAN></P><P><SPAN>/opt/splunk/bin/splunk btool props list --debug </SPAN></P><P><SPAN>/opt/splunk/bin/splunk btool transforms list --debug</SPAN></P> Wed, 01 May 2024 15:53:49 GMT https://community.splunk.com/t5/Monitoring-Splunk/log-parsing-failing-across-multiple-sourcetypes/m-p/686083#M10152 deepakc 2024-05-01T15:53:49Z https://community.splunk.com/t5/Monitoring-Splunk/log-parsing-failing-across-multiple-sourcetypes/m-p/686925#M10161 <P>My post can be disregarded,&nbsp; simple misinformation and not checking what/where people were running their field extractions.&nbsp; (App vs Global permissions on Field and Transform extractions). Cheers nontheless and thanks for the pointers</P> Wed, 08 May 2024 20:03:50 GMT https://community.splunk.com/t5/Monitoring-Splunk/log-parsing-failing-across-multiple-sourcetypes/m-p/686925#M10161 alemack 2024-05-08T20:03:50Z