Splunk Enterprise
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Search Time extraction not working

nareshinsvu
Builder
‎12-08-2021 04:52 PM

Hi,

 I am currently working in a new environment where I am trying to do field extraction based of pipe delimiter.

1) A new app (say my_app) with only inputs.conf is pushed onto the target uf through the deployment server.

 

 

 

inputs.conf:
[monitor:///path1/file1]
index=my_index
soyrcetype=my_st

 

 

 

2) Data is getting ingested and the requirement is to do field extraction on all the events separated by pipe delimiter (12345|2021-09-12 11:12:34 345|INFO|blah|blah|blah blah)

My approach followed

1) Create a new app (plain folder my_app) on my deployer and push it to the search heads with below conf files

I felt it was simple to achieve and did this. somehow it's not working. Did I miss any step to link the app on forwarder and the shc?

 

 

 

ls my_app/default/
app.conf props.conf transforms.conf

props.conf
[my_st]
REPORT-getfields = getfields

transforms.conf
[getfields]
DELIMS = "|"
FIELDS = "thread_id","timestamp","loglevel","log_tag","message"

 

 

 

 

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

isoutamo
SplunkTrust
SplunkTrust
‎12-09-2021 05:54 AM
Are you running SPL on your app (my_app) context or in search app? If you want that those extractions are working somewhere else you must add that information to meta/default.meta inside our app.

And you have done restart or at least reload on SH side after deployment?

Also I think that you are not needing " in a FIELDS as separating field names.

r. Ismo

View solution in original post

Reply
Solved! Jump to solution

PickleRick
SplunkTrust
SplunkTrust
‎12-09-2021 01:00 PM

Just to make sure - that "soyrcetype" is just a typo on forums, not in your actual config?

0 Karma
Reply
Solved! Jump to solution

nareshinsvu
Builder
‎12-09-2021 02:18 PM

Yes, sourcetypes and indexes are just examples in this forum. My config doesnt have typos

0 Karma
Reply
Solved! Jump to solution
Solution

isoutamo
SplunkTrust
SplunkTrust
‎12-09-2021 05:54 AM
Are you running SPL on your app (my_app) context or in search app? If you want that those extractions are working somewhere else you must add that information to meta/default.meta inside our app.

And you have done restart or at least reload on SH side after deployment?

Also I think that you are not needing " in a FIELDS as separating field names.

r. Ismo
Reply
Solved! Jump to solution

nareshinsvu
Builder
‎12-09-2021 03:01 PM

@isoutamo  - it worked after setting up permissions in default.meta. Thanks for your reply. it worked 🙂

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...