Splunk Enterprise
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Search Time extraction not working

nareshinsvu
Builder
‎12-08-2021 04:52 PM

Hi,

 I am currently working in a new environment where I am trying to do field extraction based of pipe delimiter.

1) A new app (say my_app) with only inputs.conf is pushed onto the target uf through the deployment server.

 

 

 

inputs.conf:
[monitor:///path1/file1]
index=my_index
soyrcetype=my_st

 

 

 

2) Data is getting ingested and the requirement is to do field extraction on all the events separated by pipe delimiter (12345|2021-09-12 11:12:34 345|INFO|blah|blah|blah blah)

My approach followed

1) Create a new app (plain folder my_app) on my deployer and push it to the search heads with below conf files

I felt it was simple to achieve and did this. somehow it's not working. Did I miss any step to link the app on forwarder and the shc?

 

 

 

ls my_app/default/
app.conf props.conf transforms.conf

props.conf
[my_st]
REPORT-getfields = getfields

transforms.conf
[getfields]
DELIMS = "|"
FIELDS = "thread_id","timestamp","loglevel","log_tag","message"

 

 

 

 

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

isoutamo
SplunkTrust
SplunkTrust
‎12-09-2021 05:54 AM
Are you running SPL on your app (my_app) context or in search app? If you want that those extractions are working somewhere else you must add that information to meta/default.meta inside our app.

And you have done restart or at least reload on SH side after deployment?

Also I think that you are not needing " in a FIELDS as separating field names.

r. Ismo

View solution in original post

Reply
Solved! Jump to solution

PickleRick
SplunkTrust
SplunkTrust
‎12-09-2021 01:00 PM

Just to make sure - that "soyrcetype" is just a typo on forums, not in your actual config?

0 Karma
Reply
Solved! Jump to solution

nareshinsvu
Builder
‎12-09-2021 02:18 PM

Yes, sourcetypes and indexes are just examples in this forum. My config doesnt have typos

0 Karma
Reply
Solved! Jump to solution
Solution

isoutamo
SplunkTrust
SplunkTrust
‎12-09-2021 05:54 AM
Are you running SPL on your app (my_app) context or in search app? If you want that those extractions are working somewhere else you must add that information to meta/default.meta inside our app.

And you have done restart or at least reload on SH side after deployment?

Also I think that you are not needing " in a FIELDS as separating field names.

r. Ismo
Reply
Solved! Jump to solution

nareshinsvu
Builder
‎12-09-2021 03:01 PM

@isoutamo  - it worked after setting up permissions in default.meta. Thanks for your reply. it worked 🙂

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Deep Dive: Accelerate threat investigation with Splunk’s AI Assistant in Security

AI is one of the biggest topics in the market today, and for security teams, its value goes far beyond the ...

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Detection Engineering Office Hours: Real-World Troubleshooting & Q&A

[REGISTER HERE] This thread is for the Community Office Hours session on Detection Engineering Office Hours: ...