Solved: Conf file precedence issue, JSON extraction

apoorvaaj · ‎11-16-2017

props definition is below, when i save it in app\search\local directory it doesn't work as expected{events are not broken properly}.
When saving the same configuration in system\local it works fine.

what am I missing?

[samplejson]
TIME_PREFIX = ("observedTime":")
TIME_FORMAT = %Y-%m-%dT%H:%M:%S
MAX_TIMESTAMP_LOOKAHEAD = 19
LINE_BREAKER = ([\n\r]+){
SHOULD_LINEMERGE = false
TRUNCATE = 0

koshyk · ‎11-17-2017

ensure that [samplejson] stanza is not used in another app
The best way you can check is to use debug command on btool

$SPLUNK_HOME/bin/splunk cmd btool props list --debug >/tmp/props.btool.out
$SPLUNK_HOME/bin/splunk cmd btool transforms list --debug >/tmp/transforms.btool.out

And check for the [samplejson] if its coming from your app or somewhere else

View solution in original post

koshyk · ‎11-17-2017

ensure that [samplejson] stanza is not used in another app
The best way you can check is to use debug command on btool

$SPLUNK_HOME/bin/splunk cmd btool props list --debug >/tmp/props.btool.out
$SPLUNK_HOME/bin/splunk cmd btool transforms list --debug >/tmp/transforms.btool.out

And check for the [samplejson] if its coming from your app or somewhere else

Conf file precedence issue, JSON extraction

Updated Team Landing Page in Splunk Observability

New! Splunk Observability Search Enhancements for Splunk APM Services/Traces and ...

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...