Re: eval not working in props.conf

nareshinsvu · ‎01-24-2022

Hi,

My environment has multiple apps. I got a requirement to default a value to a temp field. While my eval in the search works but eval in the props conf file isn't creating the new field. Please help me troubleshoot.

My conf files are below:

INPUTS ON FORWARDERS:
[monitor:///var/log/omega]
index=foo_bar_transaction
sourcetype=foo_car

PROPS ON SHC:
[foo_car]
EVAL-tempvariable = "Test_Eval"
EVAL-datacenter = if(IN(mvindex(split(host,"-"),1),"clc","dkn"),"DANGER",mvindex(split(host,"-"),1))

INDEXER:
/opt/splunk/bin/splunk cmd btool props list foo_car --debug
/opt/splunk/etc/slave-apps/INFRA_APP_logs/default/props.conf [foo_car]
/opt/splunk/etc/system/default/props.conf                        ADD_EXTRA_TIME_FIELDS = True
/opt/splunk/etc/system/default/props.conf                        ANNOTATE_PUNCT = True
/opt/splunk/etc/system/default/props.conf                        AUTO_KV_JSON = true
/opt/splunk/etc/system/default/props.conf                        BREAK_ONLY_BEFORE =
/opt/splunk/etc/system/default/props.conf                        BREAK_ONLY_BEFORE_DATE = True
/opt/splunk/etc/system/default/props.conf                        CHARSET = UTF-8
/opt/splunk/etc/system/default/props.conf                        DATETIME_CONFIG = /etc/datetime.xml
/opt/splunk/etc/system/default/props.conf                        DEPTH_LIMIT = 1000
/opt/splunk/etc/system/default/props.conf                        HEADER_MODE =
/opt/splunk/etc/system/default/props.conf                        LEARN_MODEL = true
/opt/splunk/etc/system/default/props.conf                        LEARN_SOURCETYPE = true
/opt/splunk/etc/system/default/props.conf                        LINE_BREAKER_LOOKBEHIND = 100
/opt/splunk/etc/system/default/props.conf                        MATCH_LIMIT = 100000
/opt/splunk/etc/system/default/props.conf                        MAX_DAYS_AGO = 2000
/opt/splunk/etc/system/local/props.conf                          MAX_DAYS_HENCE = 40
/opt/splunk/etc/system/default/props.conf                        MAX_DIFF_SECS_AGO = 3600
/opt/splunk/etc/system/default/props.conf                        MAX_DIFF_SECS_HENCE = 604800
/opt/splunk/etc/system/default/props.conf                        MAX_EVENTS = 256
/opt/splunk/etc/system/default/props.conf                        MAX_TIMESTAMP_LOOKAHEAD = 128
/opt/splunk/etc/system/default/props.conf                        MUST_BREAK_AFTER =
/opt/splunk/etc/system/default/props.conf                        MUST_NOT_BREAK_AFTER =
/opt/splunk/etc/system/default/props.conf                        MUST_NOT_BREAK_BEFORE =
/opt/splunk/etc/system/default/props.conf                        SEGMENTATION = indexing
/opt/splunk/etc/system/default/props.conf                        SEGMENTATION-all = full
/opt/splunk/etc/system/default/props.conf                        SEGMENTATION-inner = inner
/opt/splunk/etc/system/default/props.conf                        SEGMENTATION-outer = outer
/opt/splunk/etc/system/default/props.conf                        SEGMENTATION-raw = none
/opt/splunk/etc/system/default/props.conf                        SEGMENTATION-standard = standard
/opt/splunk/etc/system/default/props.conf                        SHOULD_LINEMERGE = True
/opt/splunk/etc/system/default/props.conf                        TRANSFORMS =
/opt/splunk/etc/system/default/props.conf                        TRUNCATE = 10000
/opt/splunk/etc/system/default/props.conf                        detect_trailing_nulls = false
/opt/splunk/etc/system/default/props.conf                        maxDist = 100
/opt/splunk/etc/system/default/props.conf                        priority =
/opt/splunk/etc/system/default/props.conf                        sourcetype =

PickleRick · ‎01-25-2022

Do you want this field as a calculated field in search-time or as an indexed field evaluated an ingest time?

Your props.conf definition seems relatively well defined for search-time calculated field. But

1) Does the user you're searching with have proper permissions to the app the field is defined in?

2) Are you sure you're not using fast mode?

nareshinsvu · ‎02-15-2022

@PickleRick - your 1) point is valid. I have defined the field extraction inside a custom app. But doing the search from default search app.

How can I just run a search from search app with that sourcetype and get my extracted field. I can see the permissions on that app are read/write to everyone

isoutamo · ‎02-15-2022

Hi

If you want to use some KOs (knowledge objects) from individual apps on some other app, then you must change that KO's permission to Global from App (or private). See https://docs.splunk.com/Documentation/Splunk/8.2.4/Knowledge/Manageknowledgeobjectpermissions.You seems to have already RW access to that app so it should be enough that you give globally read permission to this KO.

When you are sharing objects from apps to global you must also check the precedence if/when there are other KOs with same name! My proposal is to take global naming standard into use if you haven't do it yet.

r. Ismo

nareshinsvu · ‎01-26-2022

1) Does the user you're searching with have proper permissions to the app the field is defined in?

Yes - searching as admin user

2) Are you sure you're not using fast mode?

smart mode

isoutamo · ‎01-25-2022

If you want add new fields on index time you should use transforms.conf and INGEST_EVAL.

nareshinsvu · ‎01-26-2022

I want them at search-time please

PickleRick · ‎01-27-2022

Then you should check your btool output on search-head, not on indexer.

Why does eval search work but eval in the props conf file doesn't creating new field?

props.conf

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

Monitoring Amazon Elastic Kubernetes Service (EKS)