Splunk Enterprise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Search Time extraction not working

nareshinsvu
Builder
‎12-08-2021 04:52 PM

Hi,

 I am currently working in a new environment where I am trying to do field extraction based of pipe delimiter.

1) A new app (say my_app) with only inputs.conf is pushed onto the target uf through the deployment server.

 

 

 

inputs.conf:
[monitor:///path1/file1]
index=my_index
soyrcetype=my_st

 

 

 

2) Data is getting ingested and the requirement is to do field extraction on all the events separated by pipe delimiter (12345|2021-09-12 11:12:34 345|INFO|blah|blah|blah blah)

My approach followed

1) Create a new app (plain folder my_app) on my deployer and push it to the search heads with below conf files

I felt it was simple to achieve and did this. somehow it's not working. Did I miss any step to link the app on forwarder and the shc?

 

 

 

ls my_app/default/
app.conf props.conf transforms.conf

props.conf
[my_st]
REPORT-getfields = getfields

transforms.conf
[getfields]
DELIMS = "|"
FIELDS = "thread_id","timestamp","loglevel","log_tag","message"

 

 

 

 

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

isoutamo
SplunkTrust
SplunkTrust
‎12-09-2021 05:54 AM
Are you running SPL on your app (my_app) context or in search app? If you want that those extractions are working somewhere else you must add that information to meta/default.meta inside our app.

And you have done restart or at least reload on SH side after deployment?

Also I think that you are not needing " in a FIELDS as separating field names.

r. Ismo

View solution in original post

Reply
Solved! Jump to solution

PickleRick
SplunkTrust
SplunkTrust
‎12-09-2021 01:00 PM

Just to make sure - that "soyrcetype" is just a typo on forums, not in your actual config?

0 Karma
Reply
Solved! Jump to solution

nareshinsvu
Builder
‎12-09-2021 02:18 PM

Yes, sourcetypes and indexes are just examples in this forum. My config doesnt have typos

0 Karma
Reply
Solved! Jump to solution
Solution

isoutamo
SplunkTrust
SplunkTrust
‎12-09-2021 05:54 AM
Are you running SPL on your app (my_app) context or in search app? If you want that those extractions are working somewhere else you must add that information to meta/default.meta inside our app.

And you have done restart or at least reload on SH side after deployment?

Also I think that you are not needing " in a FIELDS as separating field names.

r. Ismo
Reply
Solved! Jump to solution

nareshinsvu
Builder
‎12-09-2021 03:01 PM

@isoutamo  - it worked after setting up permissions in default.meta. Thanks for your reply. it worked 🙂

0 Karma
Reply
Get Updates on the Splunk Community!

Join Us for Splunk University and Get Your Bootcamp Game On!

If you know, you know! Splunk University is the vibe this summer so register today for bootcamps galore ...

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

.conf24 is taking place at The Venetian in Las Vegas from June 11 - 14. Continue reading to learn about the ...

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...