I am new in Splunk and I am trying to create new fields at index time in a new app I created.
I would like to understand if the procedure I am following is the correct one.
I have a data input specified under $SPLUNK_HOME/etc/apps/test_1/default/inputs.conf as:
DATETIME_CONFIG = CURRENT
REPORTS-vmstat_test = vmstat_test
I restarted splunk but the fields do not appear.
If I check the configuration from the web interface I can see the new field extraction and transform. However, it does not seem they are applied.
Thanks for your help.
Before any troubleshooting begins: why are you creating fields at index-time? Do you have a good reason for doing so? New users to Splunk often instinctively think creating index-time fields is a good way of boosting performance - in reality it is most often rather the opposite. Creating index-time fields should only be done if you really know what you're doing and have a very good reason for doing so instead of creating a search-time extraction.
EDIT: So, looking a bit more at your question it seems my little rant is not entirely needed - you're talking about index-time extractions, but the extraction you've almost created is a search-time extraction. You have an error in your props.conf: it's REPORT, not REPORTS.
In which app do you check this in the web GUI? search? By default, knowledge objects (such as extracted fields) are only valid within the context of their own app, so in order to use field extractions from your test_1 app you need to make those extractions global. This could be done via the manager in the gui or by adding/editing the default.meta file in the app's metadata directory. In the latter case, the file should look something like this: