I am currently working in a new environment where I am trying to do field extraction based of pipe delimiter.
1) A new app (say my_app) with only inputs.conf is pushed onto the target uf through the deployment server.
inputs.conf: [monitor:///path1/file1] index=my_index soyrcetype=my_st
2) Data is getting ingested and the requirement is to do field extraction on all the events separated by pipe delimiter (12345|2021-09-12 11:12:34 345|INFO|blah|blah|blah blah)
My approach followed
1) Create a new app (plain folder my_app) on my deployer and push it to the search heads with below conf files
I felt it was simple to achieve and did this. somehow it's not working. Did I miss any step to link the app on forwarder and the shc?
ls my_app/default/ app.conf props.conf transforms.conf props.conf [my_st] REPORT-getfields = getfields transforms.conf [getfields] DELIMS = "|" FIELDS = "thread_id","timestamp","loglevel","log_tag","message"
Just to make sure - that "soyrcetype" is just a typo on forums, not in your actual config?
Yes, sourcetypes and indexes are just examples in this forum. My config doesnt have typos
@isoutamo - it worked after setting up permissions in default.meta. Thanks for your reply. it worked 🙂