Getting Data In

Why does eval search work but eval in the props conf file doesn't creating new field?

nareshinsvu
Builder

Hi,

My environment has multiple apps. I got a requirement to default a value to a temp field. While my eval in the search works but eval in the props conf file isn't creating the new field. Please help me troubleshoot.

My conf files are below:

 

 

INPUTS ON FORWARDERS:
[monitor:///var/log/omega]
index=foo_bar_transaction
sourcetype=foo_car

PROPS ON SHC:
[foo_car]
EVAL-tempvariable = "Test_Eval"
EVAL-datacenter = if(IN(mvindex(split(host,"-"),1),"clc","dkn"),"DANGER",mvindex(split(host,"-"),1))

INDEXER:
/opt/splunk/bin/splunk cmd btool props list foo_car --debug
/opt/splunk/etc/slave-apps/INFRA_APP_logs/default/props.conf [foo_car]
/opt/splunk/etc/system/default/props.conf                        ADD_EXTRA_TIME_FIELDS = True
/opt/splunk/etc/system/default/props.conf                        ANNOTATE_PUNCT = True
/opt/splunk/etc/system/default/props.conf                        AUTO_KV_JSON = true
/opt/splunk/etc/system/default/props.conf                        BREAK_ONLY_BEFORE =
/opt/splunk/etc/system/default/props.conf                        BREAK_ONLY_BEFORE_DATE = True
/opt/splunk/etc/system/default/props.conf                        CHARSET = UTF-8
/opt/splunk/etc/system/default/props.conf                        DATETIME_CONFIG = /etc/datetime.xml
/opt/splunk/etc/system/default/props.conf                        DEPTH_LIMIT = 1000
/opt/splunk/etc/system/default/props.conf                        HEADER_MODE =
/opt/splunk/etc/system/default/props.conf                        LEARN_MODEL = true
/opt/splunk/etc/system/default/props.conf                        LEARN_SOURCETYPE = true
/opt/splunk/etc/system/default/props.conf                        LINE_BREAKER_LOOKBEHIND = 100
/opt/splunk/etc/system/default/props.conf                        MATCH_LIMIT = 100000
/opt/splunk/etc/system/default/props.conf                        MAX_DAYS_AGO = 2000
/opt/splunk/etc/system/local/props.conf                          MAX_DAYS_HENCE = 40
/opt/splunk/etc/system/default/props.conf                        MAX_DIFF_SECS_AGO = 3600
/opt/splunk/etc/system/default/props.conf                        MAX_DIFF_SECS_HENCE = 604800
/opt/splunk/etc/system/default/props.conf                        MAX_EVENTS = 256
/opt/splunk/etc/system/default/props.conf                        MAX_TIMESTAMP_LOOKAHEAD = 128
/opt/splunk/etc/system/default/props.conf                        MUST_BREAK_AFTER =
/opt/splunk/etc/system/default/props.conf                        MUST_NOT_BREAK_AFTER =
/opt/splunk/etc/system/default/props.conf                        MUST_NOT_BREAK_BEFORE =
/opt/splunk/etc/system/default/props.conf                        SEGMENTATION = indexing
/opt/splunk/etc/system/default/props.conf                        SEGMENTATION-all = full
/opt/splunk/etc/system/default/props.conf                        SEGMENTATION-inner = inner
/opt/splunk/etc/system/default/props.conf                        SEGMENTATION-outer = outer
/opt/splunk/etc/system/default/props.conf                        SEGMENTATION-raw = none
/opt/splunk/etc/system/default/props.conf                        SEGMENTATION-standard = standard
/opt/splunk/etc/system/default/props.conf                        SHOULD_LINEMERGE = True
/opt/splunk/etc/system/default/props.conf                        TRANSFORMS =
/opt/splunk/etc/system/default/props.conf                        TRUNCATE = 10000
/opt/splunk/etc/system/default/props.conf                        detect_trailing_nulls = false
/opt/splunk/etc/system/default/props.conf                        maxDist = 100
/opt/splunk/etc/system/default/props.conf                        priority =
/opt/splunk/etc/system/default/props.conf                        sourcetype =

 

 

Labels (1)
0 Karma

PickleRick
SplunkTrust
SplunkTrust

Do you want this field as a calculated field in search-time or as an indexed field evaluated an ingest time?

Your props.conf definition seems relatively well defined for search-time calculated field. But

1) Does the user you're searching with have proper permissions to the app the field is defined in?

2) Are you sure you're not using fast mode?

0 Karma

nareshinsvu
Builder

@PickleRick - your 1) point is valid. I have defined the field extraction inside a custom app. But doing the search from default search app. 

How can I just run a search from search app with that sourcetype and get my extracted field. I can see the permissions on that app are read/write to everyone

0 Karma

isoutamo
SplunkTrust
SplunkTrust

Hi

If you want to use some KOs (knowledge objects) from individual apps on some other app, then you must change that KO's permission to Global from App (or private). See https://docs.splunk.com/Documentation/Splunk/8.2.4/Knowledge/Manageknowledgeobjectpermissions.You seems to have already RW access to that app so it should be enough that you give globally read permission to this KO.

When you are sharing objects from apps to global you must also check the precedence if/when there are other KOs with same name! My proposal is to take global naming standard into use if you haven't do it yet.

r. Ismo

nareshinsvu
Builder

1) Does the user you're searching with have proper permissions to the app the field is defined in?

Yes - searching as admin user

2) Are you sure you're not using fast mode?

smart mode

0 Karma

isoutamo
SplunkTrust
SplunkTrust
If you want add new fields on index time you should use transforms.conf and INGEST_EVAL.

nareshinsvu
Builder

I want them at search-time please

0 Karma

PickleRick
SplunkTrust
SplunkTrust

Then you should check your btool output on search-head, not on indexer.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...