Getting Data In

Search Head - props.conf and transforms.conf not taking into effect in apps directory

shailesh030
Path Finder

I have a universal forwarder forwarding key-value-delimited log events to an indexer. I have created an app on the search head to extract the fields using props.conf and transforms.conf. These configuration files are in the /$SPLUNK_HOME/etc/apps/App1/local directory but for some reason these configuration files are not taking into effect. These same files when moved to /$SPLUNK_HOME/etc/system/local results in fields being extracted and available for search on the search head.

1) There were no other props.conf and transforms.conf present in etc/system/local prior to the move.
2) btool cmd shows the props and transforms were picked up from apps/local directory.
3) Both files have all the permissions.
4) Configuring props.conf (for timezone etc.) in an app context on the indexer works without issues

Content of props.conf

    [1234567_abcd_dplogskv]
    REPORT-parse_dp_kv = dpkvlog
    KV_MODE = none
    pulldown_type = 1

Content of transforms.conf

[dpkvlog]
DELIMS = "~", "="

Any help will be highly appreciated

0 Karma

woodcock
Esteemed Legend

You are probably locked into your app's scope and searching outside of it. To give your Knowledge Objects global scope, create this $SPLUNK_HOME/etc/apps/app1/metadata/default.meta file:

Application-level permissions

[]
access = read : [ admin ], write : [ admin ]

EVENT TYPES

[eventtypes]
export = system

PROPS

[props]
export = system

TRANSFORMS

[transforms]
export = system

VIEWSTATES: even normal users should be able to create shared viewstates

[viewstates]
access = read : [ * ], write : [ * ]

LOOKUPS

[lookups]
export = system

shailesh030
Path Finder

Thanks woodcock.

Currently I am having some permission issues (write) in updating default.meta file but I checked the app permissions through splunkweb and see that App1 has read/write permissions to everyone. Although not ideal, I believe the corresponding meta should like above except that access = read:[],write:[]

But even after making the change, the search extracts only one or two fields & populates them with rest of the fields thus ending up with garbage data.

Do I need to make any other changes to permissions?

0 Karma

woodcock
Esteemed Legend

If it works in $SPLUNK_HOME/etc/system/local then just copy the entire metadata directory's contents from there into your app.

0 Karma

shailesh030
Path Finder

I tried that as well. I took the meta directory from system/metadata along with is default.meta and copied to the /etc/apps/app1 but it still doesn't extract the fields. As soon as move props.conf and transforms.conf back to /system/local it starts working. As you mentioned it certainly has something to do with scope & permissions but not able to figure out what that is. Any other things I can try? Below is the content of system/metadata/default.meta

# System permissions

[]
access = read : [ * ], write : [ admin ]

### VIEWSTATES: even normal users should be able to create shared viewstates

[viewstates]
access = read : [ * ], write : [ * ]

Regards

0 Karma

MarkusAugstburg
New Member

Hi shailesh030
Were you able to solve this issue?
I have the very same Problem.
Regards,

0 Karma
Get Updates on the Splunk Community!

Infographic provides the TL;DR for the 2023 Splunk Career Impact Report

We’ve been shouting it from the rooftops! The findings from the 2023 Splunk Career Impact Report showing that ...

Splunk Lantern | Getting Started with Edge Processor, Machine Learning Toolkit ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...

Enterprise Security Content Update (ESCU) | New Releases

In the last month, the Splunk Threat Research Team (STRT) has had 2 releases of new security content via the ...