topic Re: Calculated field in DB Connect in Splunk Search

Calculated field in DB Connect

dan60201 — Mon, 28 Sep 2020 14:24:56 GMT

I have done testing the calculated fields for Splunk DB Connect in my local machine. Basically I added props.conf file to the following folder: %SPLUNK_HOM%\etc\apps\dbx\local

In the file, I have something like this

[MySoureType]
EVAL-cpu_time_s = CPU / 1000
EVAL-duration_s = Duration / (1000 * 1000)

It works perfectly in my local environment, I can see those fields (cpu_time_s, duration_s) show up in the search. However, when I implement in the actual server (a dedicated heavy forwarder installed with Dbx in a distributed environment), I can't find those fields anymore.

Any reason why it behaves differently? How should I troubleshoot this situation.
Thanks!

Re: Calculated field in DB Connect

gfuente — Wed, 24 Jul 2013 08:15:01 GMT

Hello

Probably, in your distributed enviroment, the fields CPU and Duration are not beign exctracted properly, and because of that the calculated fields doesn´t work either

Regards

Re: Calculated field in DB Connect

dan60201 — Wed, 24 Jul 2013 14:18:41 GMT

gfuente, Thanks for reply. Both CPU and Duration were showing up just fine. I also tried with fixed value like EVAL_test = 'test', but no such field showed up.

Re: Calculated field in DB Connect

gfuente — Wed, 24 Jul 2013 14:23:29 GMT

Hello

You should put this configuration of props.conf in the Search Head, not in the heavy forwarder.

Re: Calculated field in DB Connect

dan60201 — Wed, 24 Jul 2013 16:34:18 GMT

I checked all splunk servers (search head/indexer) and can only find props.conf with EVAL- in indexer. So, I configured the dedicated heavy forwarder with dbx installed and enabled indexAndForward = true in outputs.conf. I am expecting it will do calculated field in this box before sending to splunk receiver.

Re: Calculated field in DB Connect

dan60201 — Wed, 24 Jul 2013 16:36:40 GMT

Forgot to mention, those existing EVAL- from other apps managed by deployment server are working fine. Only DB Connect that I configured in this dedicated box did not work as I expected.

Re: Calculated field in DB Connect

dan60201 — Wed, 24 Jul 2013 22:18:37 GMT

If I want to move/test EVAL-field to indexer (instead of defining it in the dedicated forwarder server with dbx), it's not clear to me what exactly the steps I should do? How does indexer know I want add additional calculated fields? Where do I need to put such props.conf?

Re: Calculated field in DB Connect

dan60201 — Thu, 25 Jul 2013 20:49:11 GMT

Somehow I need to move that configuration into indexers, rather than in DB connect dedicated server. Now those calculated fields work as expected.