Not indexing new fields in new app


I am new in Splunk and I am trying to create new fields at index time in a new app I created.
I would like to understand if the procedure I am following is the correct one.
I have a data input specified under $SPLUNK_HOME/etc/apps/test_1/default/inputs.conf as:

disabled = false
index = daq
interval = 60
source = memory
sourcetype = memory

This data is visible in the search of the app and it is correctly retrieved.
In $SPLUNK_HOME/etc/apps/test_1/default/transforms.conf I add the transform rule:

REGEX = (\d+)\s+(\d+)\s+(\d+)\s+(\d+)\s+(\d+)\s+(\d+)\s+(\d+)\s+(\d+)\s+(\d+)\s+(\d+)\s+(\d+)\s+(\d+)\s+(\d+)\s+(\d+)\s+(\d+)\s+(\d+)\s+(\d+)\s+(\d+)
FORMAT = proc_waiting::$1 proc_unitsleep::$2 swap::$3 free::$4 inactive::$7 active::$8 swap_in::$9 swap_out::$10 blocks_in::$11 blocks_out::$12 interrupts::$13 contextswitch:$14 usermode::$15 kernelmode::$16 idle::$17 waiting::$18

and $SPLUNK_HOME/etc/apps/test_1/default/props.conf

REPORTS-vmstat_test = vmstat_test

I restarted splunk but the fields do not appear.
If I check the configuration from the web interface I can see the new field extraction and transform. However, it does not seem they are applied.
Thanks for your help.

Tags (1)
0 Karma


Before any troubleshooting begins: why are you creating fields at index-time? Do you have a good reason for doing so? New users to Splunk often instinctively think creating index-time fields is a good way of boosting performance - in reality it is most often rather the opposite. Creating index-time fields should only be done if you really know what you're doing and have a very good reason for doing so instead of creating a search-time extraction.

EDIT: So, looking a bit more at your question it seems my little rant is not entirely needed - you're talking about index-time extractions, but the extraction you've almost created is a search-time extraction. You have an error in your props.conf: it's REPORT, not REPORTS.

0 Karma


In which app do you check this in the web GUI? search? By default, knowledge objects (such as extracted fields) are only valid within the context of their own app, so in order to use field extractions from your test_1 app you need to make those extractions global. This could be done via the manager in the gui or by adding/editing the default.meta file in the app's metadata directory. In the latter case, the file should look something like this:

[ ]
access = read : [ * ], write : [ admin ]
export = global
0 Karma


Thanks for your answer. Indeed, it is a search-time extraction.
I changed the typo in REPORT-vmstat_test and restarted Splunk. The fields still don't appear. Are there additional things I should do?

0 Karma