Getting Data In

Search Head - props.conf and transforms.conf not taking into effect in apps directory

shailesh030
Path Finder

I have a universal forwarder forwarding key-value-delimited log events to an indexer. I have created an app on the search head to extract the fields using props.conf and transforms.conf. These configuration files are in the /$SPLUNK_HOME/etc/apps/App1/local directory but for some reason these configuration files are not taking into effect. These same files when moved to /$SPLUNK_HOME/etc/system/local results in fields being extracted and available for search on the search head.

1) There were no other props.conf and transforms.conf present in etc/system/local prior to the move.
2) btool cmd shows the props and transforms were picked up from apps/local directory.
3) Both files have all the permissions.
4) Configuring props.conf (for timezone etc.) in an app context on the indexer works without issues

Content of props.conf

    [1234567_abcd_dplogskv]
    REPORT-parse_dp_kv = dpkvlog
    KV_MODE = none
    pulldown_type = 1

Content of transforms.conf

[dpkvlog]
DELIMS = "~", "="

Any help will be highly appreciated

0 Karma

woodcock
Esteemed Legend

You are probably locked into your app's scope and searching outside of it. To give your Knowledge Objects global scope, create this $SPLUNK_HOME/etc/apps/app1/metadata/default.meta file:

Application-level permissions

[]
access = read : [ admin ], write : [ admin ]

EVENT TYPES

[eventtypes]
export = system

PROPS

[props]
export = system

TRANSFORMS

[transforms]
export = system

VIEWSTATES: even normal users should be able to create shared viewstates

[viewstates]
access = read : [ * ], write : [ * ]

LOOKUPS

[lookups]
export = system

shailesh030
Path Finder

Thanks woodcock.

Currently I am having some permission issues (write) in updating default.meta file but I checked the app permissions through splunkweb and see that App1 has read/write permissions to everyone. Although not ideal, I believe the corresponding meta should like above except that access = read:[],write:[]

But even after making the change, the search extracts only one or two fields & populates them with rest of the fields thus ending up with garbage data.

Do I need to make any other changes to permissions?

0 Karma

woodcock
Esteemed Legend

If it works in $SPLUNK_HOME/etc/system/local then just copy the entire metadata directory's contents from there into your app.

0 Karma

shailesh030
Path Finder

I tried that as well. I took the meta directory from system/metadata along with is default.meta and copied to the /etc/apps/app1 but it still doesn't extract the fields. As soon as move props.conf and transforms.conf back to /system/local it starts working. As you mentioned it certainly has something to do with scope & permissions but not able to figure out what that is. Any other things I can try? Below is the content of system/metadata/default.meta

# System permissions

[]
access = read : [ * ], write : [ admin ]

### VIEWSTATES: even normal users should be able to create shared viewstates

[viewstates]
access = read : [ * ], write : [ * ]

Regards

0 Karma

MarkusAugstburg
New Member

Hi shailesh030
Were you able to solve this issue?
I have the very same Problem.
Regards,

0 Karma
Take the 2021 Splunk Career Survey

Help us learn about how Splunk has
impacted your career by taking the 2021 Splunk Career Survey.

Earn $50 in Amazon cash!