Getting Data In

How do I find out what prop file is catching my data?

Engager

This is a weird one. I uploaded some data one time and I set the sourcetype to "MyStuff" and dropped it into my test index.

I search for: index=test sourcetype=MyStuff and all the data comes back. No problem so far. I do notice that the data is being k=v parsed, which I think is from the default settings in the systems/default/props.conf file. That's ok. (I have data with = in it, like FOO = BAR, and Splunk makes FOO the name with BAR the value).

I make a new app in etc/app/MyApp with a props and transforms file.

In props.conf:

[MyStuff]
REPORT-do_something = mystuff-parse

In transforms.conf:

[mystuff-parse]
REGEX = ^(\S+)
FORMAT = some_variable::$1

That's it.

I go back to my search and enter: index=test sourcetype=MyStuff | extract reload=T

Now I go back to my data and nothing has happened. I don't see my some_variable anywhere. I even reboot, without any results.

After banging my head against a wall for a while, I move all my logic into system/local/props.conf and transforms.conf, and re-run my search. All of a sudden my some_variable appears.

I have other apps on this box, so I run the btool on my props file to make sure my sourcetype MyStuff is unique, and it is. I make sure my REPORT-do_something is unique, and it is. I then run the btool against my transforms to make sure my stanza mystuff-parse is unique, and it is.

So how do I go about seeing what exactly is happening to my data when I run that search? It's never making it to my app in etc/app, but the logic works in system/local. Any ideas? I'm about to pull an Office Space on this box.

PS. Yes the permissions are correct on the directory and files.

UPDATE:

Fix was to make the app global so the Search App in the GUI could see/use it.

I added the metadata director with the file default.meta in it.

The file looks like:

[ ]
access = read : [ * ], write : [ admin ]
export = global

1 Solution

Splunk Employee
Splunk Employee

Simply, search-time extractions (and other search-time artifacts) are scoped to a specific app unless otherwise specified. Items in system are global. Items in apps can be made global via the GUI and/or the *.meta files (same thing). You can see the effect of which file are running by specifying the app context --app=appname when using btool http://docs.splunk.com/Documentation/Splunk/5.0beta/Troubleshooting/Usebtooltotroubleshootconfigurat...

View solution in original post

Splunk Employee
Splunk Employee

Simply, search-time extractions (and other search-time artifacts) are scoped to a specific app unless otherwise specified. Items in system are global. Items in apps can be made global via the GUI and/or the *.meta files (same thing). You can see the effect of which file are running by specifying the app context --app=appname when using btool http://docs.splunk.com/Documentation/Splunk/5.0beta/Troubleshooting/Usebtooltotroubleshootconfigurat...

View solution in original post

Engager

Sorry I'm a complete moron.

I was trying to use this app in the search app, but I didn't have my metadata directory set up with the default.meta file with:

export = global

Once I added that, the app came into scope and worked... Doh!

0 Karma

Ultra Champion

Sorry if this is a too simple explanation - but you do not make it clear where you put your new props.conf and transforms.conf.

Did you put it in $SPLUNK_HOME/etc/apps/myApp or in $SPLUNK_HOME/etc/apps/myApp/local?

Also, your regex seems a bit simple, but perhaps this was just for illustration purposes.

Best regards,

Kristian

0 Karma
Don’t Miss Global Splunk
User Groups Week!

Free LIVE events worldwide 2/8-2/12
Connect, learn, and collect rad prizes
and swag!