This is a weird one. I uploaded some data one time and I set the sourcetype to "MyStuff" and dropped it into my test index.
I search for: index=test sourcetype=MyStuff
and all the data comes back. No problem so far. I do notice that the data is being k=v parsed, which I think is from the default settings in the systems/default/props.conf file. That's ok. (I have data with = in it, like FOO = BAR, and Splunk makes FOO the name with BAR the value).
I make a new app in etc/app/MyApp with a props and transforms file.
In props.conf:
[MyStuff]
REPORT-do_something = mystuff-parse
In transforms.conf:
[mystuff-parse]
REGEX = ^(\S+)
FORMAT = some_variable::$1
That's it.
I go back to my search and enter: index=test sourcetype=MyStuff | extract reload=T
Now I go back to my data and nothing has happened. I don't see my some_variable
anywhere. I even reboot, without any results.
After banging my head against a wall for a while, I move all my logic into system/local/props.conf and transforms.conf, and re-run my search. All of a sudden my some_variable
appears.
I have other apps on this box, so I run the btool on my props file to make sure my sourcetype MyStuff
is unique, and it is. I make sure my REPORT-do_something
is unique, and it is. I then run the btool against my transforms to make sure my stanza mystuff-parse
is unique, and it is.
So how do I go about seeing what exactly is happening to my data when I run that search? It's never making it to my app in etc/app, but the logic works in system/local. Any ideas? I'm about to pull an Office Space on this box.
PS. Yes the permissions are correct on the directory and files.
UPDATE:
Fix was to make the app global so the Search App in the GUI could see/use it.
I added the metadata
director with the file default.meta
in it.
The file looks like:
[ ]
access = read : [ * ], write : [ admin ]
export = global
Simply, search-time extractions (and other search-time artifacts) are scoped to a specific app unless otherwise specified. Items in system are global. Items in apps can be made global via the GUI and/or the *.meta files (same thing). You can see the effect of which file are running by specifying the app context --app=appname
when using btool
http://docs.splunk.com/Documentation/Splunk/5.0beta/Troubleshooting/Usebtooltotroubleshootconfigurat...
Simply, search-time extractions (and other search-time artifacts) are scoped to a specific app unless otherwise specified. Items in system are global. Items in apps can be made global via the GUI and/or the *.meta files (same thing). You can see the effect of which file are running by specifying the app context --app=appname
when using btool
http://docs.splunk.com/Documentation/Splunk/5.0beta/Troubleshooting/Usebtooltotroubleshootconfigurat...
Sorry I'm a complete moron.
I was trying to use this app in the search app, but I didn't have my metadata
directory set up with the default.meta
file with:
export = global
Once I added that, the app came into scope and worked... Doh!
Sorry if this is a too simple explanation - but you do not make it clear where you put your new props.conf and transforms.conf.
Did you put it in $SPLUNK_HOME/etc/apps/myApp
or in $SPLUNK_HOME/etc/apps/myApp/local
?
Also, your regex seems a bit simple, but perhaps this was just for illustration purposes.
Best regards,
Kristian