Getting Data In

Need help: why my search head is not using the settings in transforms.conf

patng_nw
Communicator

I am migrating from a stand-alone Splunk instance to a Splunk cluster (w/ search-head-cluster + indexer-cluster) and I am hitting this problem.

On my search heads, I have these settings

/opt/splunk/etc/system/local/props.conf:

[altr_web]
KV_MODE = none
category = Web
REPORT-altr_web = REPORT-altr_web

/opt/splunk/etc/apps/search/local/transforms.conf:

[REPORT-altr_web]
DELIMS = "\t"
FIELDS = "ip1","ip2","time","uri","status","execTime","bytes","referer","ua","nwtc","uid","abCookie"

I also verified that these settings are present on my search head with these commands:
$SPLUNK_HOME/bin/splunk btool --app=search transforms list
$SPLUNK_HOME/bin/splunk btool --app=search props list

All these look fine. Then I sent a test log file using a forwarder. However, during my search, I discovered that the transformation specified in transforms.conf didn't happen. (I couldn't see any fields such as ip1, ip2, uri, etc)

To troubleshoot the problem, I use my browser to connect to an indexer UI page, use the UI's Add Data feature, upload the log file directly and specifically picked altr_web as its source type. Again, when I search (on my search head) I still couldn't see any transformation happening.

I restarted my search head, but that didn't help.

What else can I do to troubleshoot this problem?

Updates:
I have resolved the problem. It turns out I need to follow the "2. If you want to migrate custom settings from a default app" part in this doc https://docs.splunk.com/Documentation/Splunk/7.2.3/DistSearch/Migratefromstandalonesearchheads#Migra... in order to migrate the props.conf and transforms.conf settings to the search head. Once I did that, it's working now!

0 Karma
1 Solution

patng_nw
Communicator

I have resolved the problem. It turns out I need to follow the "2. If you want to migrate custom settings from a default app" part in this doc https://docs.splunk.com/Documentation/Splunk/7.2.3/DistSearch/Migratefromstandalonesearchheads#Migra... in order to migrate the props.conf and transforms.conf settings to the search head. Once I did that, it's working now!

View solution in original post

patng_nw
Communicator

I have resolved the problem. It turns out I need to follow the "2. If you want to migrate custom settings from a default app" part in this doc https://docs.splunk.com/Documentation/Splunk/7.2.3/DistSearch/Migratefromstandalonesearchheads#Migra... in order to migrate the props.conf and transforms.conf settings to the search head. Once I did that, it's working now!

harsmarvania57
SplunkTrust
SplunkTrust

Hi,

Can you please provide some sample data (mask any sensitive data) ?

0 Karma

patng_nw
Communicator

I have resolved it. See the updates in my post. Thanks to everyone for your suggestion.

0 Karma

harsmarvania57
SplunkTrust
SplunkTrust

That's great, you can post that update as answer and accept your own answer so that it will help for other community members.

0 Karma

dkeck
Influencer

Hi,

I think your are missing a source:: or sourcetype:: in your props.conf.

0 Karma

harsmarvania57
SplunkTrust
SplunkTrust

For sourcetype you do not need to mention sourcetype:: in props.conf

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...