Solved: Why is the global sourcetype defined in props.conf...

faustf · ‎02-17-2017

Hi guys

I've defined my sourcetype, transforms and lookup in /opt/splunk/etc/system/local/props.conf and /opt/splunk/etc/system/local/transforms.conf (I set the lookup from the web interface).
Everything is working fine with the default Search and Reporting App.
After I created my customApp and if I perform the same search in the App, I can see the right source_type associated to my data but the regex that I defined in /opt/splunk/etc/system/local/transforms.conf is not applied.

Any suggestion?

Thanks

martin_mueller · ‎02-17-2017

Most likely there's some config in the wrong place. Here's a start:

$SPLUNK_HOME/bin/splunk btool props list your_sourcetype --debug
$SPLUNK_HOME/bin/splunk btool transforms list your_transforms_or_lookup --debug

Check if all relevant settings are in the right place from Splunk's point of view. For more detailed help you'll need to share your config.

View solution in original post

martin_mueller · ‎02-17-2017

Most likely there's some config in the wrong place. Here's a start:

$SPLUNK_HOME/bin/splunk btool props list your_sourcetype --debug
$SPLUNK_HOME/bin/splunk btool transforms list your_transforms_or_lookup --debug

Check if all relevant settings are in the right place from Splunk's point of view. For more detailed help you'll need to share your config.

martin_mueller · ‎02-17-2017

Feel free to elaborate what you did to fix and mark as accepted.

faustf · ‎02-17-2017

Thanks, this helped!

Why is the global sourcetype defined in props.conf and transforms.conf not used by my custom app?

Fueling your curiosity with new Splunk ILT and eLearning courses

Splunk AI Assistant for SPL 1.1.0 | Now Personalized to Your Environment for Greater ...

Unleash Unified Security and Observability with Splunk Cloud Platform