Splunk Enterprise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Search Time extraction not working

nareshinsvu
Builder
‎12-08-2021 04:52 PM

Hi,

 I am currently working in a new environment where I am trying to do field extraction based of pipe delimiter.

1) A new app (say my_app) with only inputs.conf is pushed onto the target uf through the deployment server.

 

 

 

inputs.conf:
[monitor:///path1/file1]
index=my_index
soyrcetype=my_st

 

 

 

2) Data is getting ingested and the requirement is to do field extraction on all the events separated by pipe delimiter (12345|2021-09-12 11:12:34 345|INFO|blah|blah|blah blah)

My approach followed

1) Create a new app (plain folder my_app) on my deployer and push it to the search heads with below conf files

I felt it was simple to achieve and did this. somehow it's not working. Did I miss any step to link the app on forwarder and the shc?

 

 

 

ls my_app/default/
app.conf props.conf transforms.conf

props.conf
[my_st]
REPORT-getfields = getfields

transforms.conf
[getfields]
DELIMS = "|"
FIELDS = "thread_id","timestamp","loglevel","log_tag","message"

 

 

 

 

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

isoutamo
SplunkTrust
SplunkTrust
‎12-09-2021 05:54 AM
Are you running SPL on your app (my_app) context or in search app? If you want that those extractions are working somewhere else you must add that information to meta/default.meta inside our app.

And you have done restart or at least reload on SH side after deployment?

Also I think that you are not needing " in a FIELDS as separating field names.

r. Ismo

View solution in original post

Reply
Solved! Jump to solution

PickleRick
SplunkTrust
SplunkTrust
‎12-09-2021 01:00 PM

Just to make sure - that "soyrcetype" is just a typo on forums, not in your actual config?

0 Karma
Reply
Solved! Jump to solution

nareshinsvu
Builder
‎12-09-2021 02:18 PM

Yes, sourcetypes and indexes are just examples in this forum. My config doesnt have typos

0 Karma
Reply
Solved! Jump to solution
Solution

isoutamo
SplunkTrust
SplunkTrust
‎12-09-2021 05:54 AM
Are you running SPL on your app (my_app) context or in search app? If you want that those extractions are working somewhere else you must add that information to meta/default.meta inside our app.

And you have done restart or at least reload on SH side after deployment?

Also I think that you are not needing " in a FIELDS as separating field names.

r. Ismo
Reply
Solved! Jump to solution

nareshinsvu
Builder
‎12-09-2021 03:01 PM

@isoutamo  - it worked after setting up permissions in default.meta. Thanks for your reply. it worked 🙂

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...