Getting Data In

Search Head - props.conf and transforms.conf not taking into effect in apps directory

shailesh030
Path Finder

I have a universal forwarder forwarding key-value-delimited log events to an indexer. I have created an app on the search head to extract the fields using props.conf and transforms.conf. These configuration files are in the /$SPLUNK_HOME/etc/apps/App1/local directory but for some reason these configuration files are not taking into effect. These same files when moved to /$SPLUNK_HOME/etc/system/local results in fields being extracted and available for search on the search head.

1) There were no other props.conf and transforms.conf present in etc/system/local prior to the move.
2) btool cmd shows the props and transforms were picked up from apps/local directory.
3) Both files have all the permissions.
4) Configuring props.conf (for timezone etc.) in an app context on the indexer works without issues

Content of props.conf

    [1234567_abcd_dplogskv]
    REPORT-parse_dp_kv = dpkvlog
    KV_MODE = none
    pulldown_type = 1

Content of transforms.conf

[dpkvlog]
DELIMS = "~", "="

Any help will be highly appreciated

0 Karma

woodcock
Esteemed Legend

You are probably locked into your app's scope and searching outside of it. To give your Knowledge Objects global scope, create this $SPLUNK_HOME/etc/apps/app1/metadata/default.meta file:

Application-level permissions

[]
access = read : [ admin ], write : [ admin ]

EVENT TYPES

[eventtypes]
export = system

PROPS

[props]
export = system

TRANSFORMS

[transforms]
export = system

VIEWSTATES: even normal users should be able to create shared viewstates

[viewstates]
access = read : [ * ], write : [ * ]

LOOKUPS

[lookups]
export = system

shailesh030
Path Finder

Thanks woodcock.

Currently I am having some permission issues (write) in updating default.meta file but I checked the app permissions through splunkweb and see that App1 has read/write permissions to everyone. Although not ideal, I believe the corresponding meta should like above except that access = read:[],write:[]

But even after making the change, the search extracts only one or two fields & populates them with rest of the fields thus ending up with garbage data.

Do I need to make any other changes to permissions?

0 Karma

woodcock
Esteemed Legend

If it works in $SPLUNK_HOME/etc/system/local then just copy the entire metadata directory's contents from there into your app.

0 Karma

shailesh030
Path Finder

I tried that as well. I took the meta directory from system/metadata along with is default.meta and copied to the /etc/apps/app1 but it still doesn't extract the fields. As soon as move props.conf and transforms.conf back to /system/local it starts working. As you mentioned it certainly has something to do with scope & permissions but not able to figure out what that is. Any other things I can try? Below is the content of system/metadata/default.meta

# System permissions

[]
access = read : [ * ], write : [ admin ]

### VIEWSTATES: even normal users should be able to create shared viewstates

[viewstates]
access = read : [ * ], write : [ * ]

Regards

0 Karma

MarkusAugstburg
New Member

Hi shailesh030
Were you able to solve this issue?
I have the very same Problem.
Regards,

0 Karma
Get Updates on the Splunk Community!

Splunk Forwarders and Forced Time Based Load Balancing

Splunk customers use universal forwarders to collect and send data to Splunk. A universal forwarder can send ...

NEW! Log Views in Splunk Observability Dashboards Gives Context From a Single Page

Today, Splunk Observability releases log views, a new feature for users to add their logs data from Splunk Log ...

Last Chance to Submit Your Paper For BSides Splunk - Deadline is August 12th!

Hello everyone! Don't wait to submit - The deadline is August 12th! We have truly missed the community so ...