- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Calculated field in DB Connect
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have done testing the calculated fields for Splunk DB Connect in my local machine. Basically I added props.conf file to the following folder: %SPLUNK_HOM%\etc\apps\dbx\local
In the file, I have something like this
[MySoureType]
EVAL-cpu_time_s = CPU / 1000
EVAL-duration_s = Duration / (1000 * 1000)
It works perfectly in my local environment, I can see those fields (cpu_time_s, duration_s) show up in the search. However, when I implement in the actual server (a dedicated heavy forwarder installed with Dbx in a distributed environment), I can't find those fields anymore.
Any reason why it behaves differently? How should I troubleshoot this situation.
Thanks!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Somehow I need to move that configuration into indexers, rather than in DB connect dedicated server. Now those calculated fields work as expected.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Somehow I need to move that configuration into indexers, rather than in DB connect dedicated server. Now those calculated fields work as expected.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello
Probably, in your distributed enviroment, the fields CPU and Duration are not beign exctracted properly, and because of that the calculated fields doesn´t work either
Regards
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If I want to move/test EVAL-field to indexer (instead of defining it in the dedicated forwarder server with dbx), it's not clear to me what exactly the steps I should do? How does indexer know I want add additional calculated fields? Where do I need to put such props.conf?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Forgot to mention, those existing EVAL- from other apps managed by deployment server are working fine. Only DB Connect that I configured in this dedicated box did not work as I expected.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I checked all splunk servers (search head/indexer) and can only find props.conf with EVAL- in indexer. So, I configured the dedicated heavy forwarder with dbx installed and enabled indexAndForward = true in outputs.conf. I am expecting it will do calculated field in this box before sending to splunk receiver.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello
You should put this configuration of props.conf in the Search Head, not in the heavy forwarder.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
gfuente, Thanks for reply. Both CPU and Duration were showing up just fine. I also tried with fixed value like EVAL_test = 'test', but no such field showed up.
Join Us for Splunk University and Get Your Bootcamp Game On!
.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!
Announcing Scheduled Export GA for Dashboard Studio
