Re: Not indexing new fields in new app

atelesca · ‎07-12-2012

Hello,
I am new in Splunk and I am trying to create new fields at index time in a new app I created.
I would like to understand if the procedure I am following is the correct one.
I have a data input specified under $SPLUNK_HOME/etc/apps/test_1/default/inputs.conf as:

[script:///opt/splunk/etc/apps/test_1/bin/vmstat.sh]
disabled = false
index = daq
interval = 60
source = memory
sourcetype = memory

This data is visible in the search of the app and it is correctly retrieved.
In $SPLUNK_HOME/etc/apps/test_1/default/transforms.conf I add the transform rule:

[vmstat_test]
REGEX = (\d+)\s+(\d+)\s+(\d+)\s+(\d+)\s+(\d+)\s+(\d+)\s+(\d+)\s+(\d+)\s+(\d+)\s+(\d+)\s+(\d+)\s+(\d+)\s+(\d+)\s+(\d+)\s+(\d+)\s+(\d+)\s+(\d+)\s+(\d+)
FORMAT = proc_waiting::$1 proc_unitsleep::$2 swap::$3 free::$4 inactive::$7 active::$8 swap_in::$9 swap_out::$10 blocks_in::$11 blocks_out::$12 interrupts::$13 contextswitch:$14 usermode::$15 kernelmode::$16 idle::$17 waiting::$18

and $SPLUNK_HOME/etc/apps/test_1/default/props.conf

[memory]
SHOULD_LINEMERGE=false
LINE_BREAKER=^()$
TRUNCATE=1000000
DATETIME_CONFIG = CURRENT
REPORTS-vmstat_test = vmstat_test

I restarted splunk but the fields do not appear.
If I check the configuration from the web interface I can see the new field extraction and transform. However, it does not seem they are applied.
Thanks for your help.
Cheers,
Adriana

Ayn · ‎07-12-2012

Before any troubleshooting begins: why are you creating fields at index-time? Do you have a good reason for doing so? New users to Splunk often instinctively think creating index-time fields is a good way of boosting performance - in reality it is most often rather the opposite. Creating index-time fields should only be done if you really know what you're doing and have a very good reason for doing so instead of creating a search-time extraction.

EDIT: So, looking a bit more at your question it seems my little rant is not entirely needed - you're talking about index-time extractions, but the extraction you've almost created is a search-time extraction. You have an error in your props.conf: it's REPORT, not REPORTS.

Ayn · ‎07-12-2012

In which app do you check this in the web GUI? search? By default, knowledge objects (such as extracted fields) are only valid within the context of their own app, so in order to use field extractions from your test_1 app you need to make those extractions global. This could be done via the manager in the gui or by adding/editing the default.meta file in the app's metadata directory. In the latter case, the file should look something like this:

[ ]
access = read : [ * ], write : [ admin ]
export = global

atelesca · ‎07-12-2012

Thanks for your answer. Indeed, it is a search-time extraction.
I changed the typo in REPORT-vmstat_test and restarted Splunk. The fields still don't appear. Are there additional things I should do?

Not indexing new fields in new app

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

SOK it to Me: Top 3 Benefits of Using Splunk Operator on Kubernetes that’ll Make ...

Upgrade Prep for 10.4, Network Observability Deep Dives, and More from Splunk Lantern

Splunk Developer Day announcements: AI agents, MCP tools, Forecasting, and Custom ...

Join the Conversation