Getting Data In
Highlighted

Search Head - props.conf and transforms.conf not taking into effect in apps directory

Path Finder

I have a universal forwarder forwarding key-value-delimited log events to an indexer. I have created an app on the search head to extract the fields using props.conf and transforms.conf. These configuration files are in the /$SPLUNKHOME/etc/apps/App1/local directory but for some reason these configuration files are not taking into effect. These same files when moved to /$SPLUNKHOME/etc/system/local results in fields being extracted and available for search on the search head.

1) There were no other props.conf and transforms.conf present in etc/system/local prior to the move.
2) btool cmd shows the props and transforms were picked up from apps/local directory.
3) Both files have all the permissions.
4) Configuring props.conf (for timezone etc.) in an app context on the indexer works without issues

Content of props.conf

    [1234567_abcd_dplogskv]
    REPORT-parse_dp_kv = dpkvlog
    KV_MODE = none
    pulldown_type = 1

Content of transforms.conf

[dpkvlog]
DELIMS = "~", "="

Any help will be highly appreciated

0 Karma
Highlighted

Re: Search Head - props.conf and transforms.conf not taking into effect in apps directory

Esteemed Legend

You are probably locked into your app's scope and searching outside of it. To give your Knowledge Objects global scope, create this $SPLUNK_HOME/etc/apps/app1/metadata/default.meta file:

Application-level permissions

[]
access = read : [ admin ], write : [ admin ]

EVENT TYPES

[eventtypes]
export = system

PROPS

[props]
export = system

TRANSFORMS

[transforms]
export = system

VIEWSTATES: even normal users should be able to create shared viewstates

[viewstates]
access = read : [ * ], write : [ * ]

LOOKUPS

[lookups]
export = system

Highlighted

Re: Search Head - props.conf and transforms.conf not taking into effect in apps directory

Path Finder

Thanks woodcock.

Currently I am having some permission issues (write) in updating default.meta file but I checked the app permissions through splunkweb and see that App1 has read/write permissions to everyone. Although not ideal, I believe the corresponding meta should like above except that access = read:[],write:[]

But even after making the change, the search extracts only one or two fields & populates them with rest of the fields thus ending up with garbage data.

Do I need to make any other changes to permissions?

0 Karma
Highlighted

Re: Search Head - props.conf and transforms.conf not taking into effect in apps directory

Esteemed Legend

If it works in $SPLUNK_HOME/etc/system/local then just copy the entire metadata directory's contents from there into your app.

0 Karma
Highlighted

Re: Search Head - props.conf and transforms.conf not taking into effect in apps directory

Path Finder

I tried that as well. I took the meta directory from system/metadata along with is default.meta and copied to the /etc/apps/app1 but it still doesn't extract the fields. As soon as move props.conf and transforms.conf back to /system/local it starts working. As you mentioned it certainly has something to do with scope & permissions but not able to figure out what that is. Any other things I can try? Below is the content of system/metadata/default.meta

# System permissions

[]
access = read : [ * ], write : [ admin ]

### VIEWSTATES: even normal users should be able to create shared viewstates

[viewstates]
access = read : [ * ], write : [ * ]

Regards

0 Karma
Highlighted

Re: Search Head - props.conf and transforms.conf not taking into effect in apps directory

New Member

Hi shailesh030
Were you able to solve this issue?
I have the very same Problem.
Regards,

0 Karma