Getting Data In

Why is my EVAL configuration in props.conf on the Search Head not processing?

jwhughes58
Contributor

I'm working with data that is being sent from a universal forwarder (UF) on the server. I do an INDEXED_EXTRACTION in the props.conf on the universal forwarder. When I search for the data on the search head (SH) it is put into the correct fields. I also have EVALs in the props.conf on the SH. What I don't see is the EVALs processed. This EVALS were processed in my standalone dev laptop, but not in the distributed environment. Do I need to move the EVALs to the UF?

0 Karma
1 Solution

jwhughes58
Contributor

There are days. I had a meeting with the rest of the team and my issue was due to our distributed environment. The TA got pushed to the UF, but not to the SH. Once it was pushed to the SH, the problem resolved itself.

View solution in original post

0 Karma

jwhughes58
Contributor

There are days. I had a meeting with the rest of the team and my issue was due to our distributed environment. The TA got pushed to the UF, but not to the SH. Once it was pushed to the SH, the problem resolved itself.

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

Do post your relevant configuration, e.g. the props.conf defining the eval, some sample events, the searches you are running, etc.

0 Karma

somesoni2
SplunkTrust
SplunkTrust

No, the EVAL (calculated fields) are search time field extraction and should be on SH. Can you check if those EVAL have sharing permissions Global and allows read to your user role (or everyone)?

0 Karma

jwhughes58
Contributor

The sharing permission is global. The permissions are everyone:read, admin:write, and power:write.

0 Karma

adonio
Ultra Champion

what is the full path to file for this particular props.conf?
how your distributed environment looks like?
try and place the props.conf on the indexer as well.
hope it helps

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...