Splunk Search

Custom Deployment Application - Inability to visualize pre-defined field extraction from props.conf file

NAtanasov
New Member

Hello Community,

As me and the team are trying to configure a custom deployment application which has to be implemented ONLY trough the command line. There should be no interaction with the UI while configuring the custom app itself - this is a client request.

The application gathers log data from three different log files located on a Windows Server 2019 and the main idea is to have this app in order to properly segment all the information coming from those logs. After the information is gathered it has to be searchable in the default Splunk Search Application.

As read in the documentation - the deployment application is placed under :
$SPLUNK_HOME/etc/deployment-apps
The underlying file structure is as follows:
local ( contains: inputs.conf, props.conf )
metadata ( contains: local.meta )

All the configuration which we have performed is defined into props.conf regarding the specification of the custom fields which we want to display into the Splunk Search Application. Underneath you can refer to the props.conf file itself:

[inwebo:synclog]
DATETIME_CONFIG =
LINE_BREAKER = ([\r\n]+)
NO_BINARY_CHECK = true
SHOULD_LINEMERGE = false
TIME_FORMAT = %d.%m.%Y %H:%M:%S
category = Miscellaneous
description = InWebo Sync Activation Mails Log
disabled = false
pulldown_type = true
MAX_TIMESTAMP_LOOKAHEAD =
EXTRACT-TimeStamp = ^(?P<TimeStamp>\d+\.\d+\.\d+\s+\d+:\d+:\d+)

[inwebo:iwdslog]
DATETIME_CONFIG =
LINE_BREAKER = ([\r\n]+)
NO_BINARY_CHECK = true
SHOULD_LINEMERGE = false
category = Miscellaneous
pulldown_type = 1
EXTRACT-TimeDate = ^(?P<TimeDate>[^,]+)
EXTRACT-Status = ^[^ \n]* (?P<Status>[^ ]+)
MAX_TIMESTAMP_LOOKAHEAD =
description = InWebo IWDS Log
disabled = false
TIME_FORMAT = %Y-%m-%dT%H:%M:%S


[inwebo:gdriveuploaderlog]
DATETIME_CONFIG =
LINE_BREAKER = ([\r\n]+)
MAX_TIMESTAMP_LOOKAHEAD =
NO_BINARY_CHECK = true
SHOULD_LINEMERGE = false
TIME_FORMAT = %d-%m-%Y %H:%M:%S
category = Miscellaneous
description = GDrive Uploader (InWebo Service)
pulldown_type = 1
disabled = false
EXTRACT-DateTime = ^(?P<DateTime>\d+\-\d+\-\d+\s+\d+:\d+:\d+)
EXTRACT-Status = (?=[^U]*(?:Upload|U.*Upload))^(?:[^ \n]* ){3}(?P<Status>\w+)

As you are able to observe, the bolded attributes is what we thought should be enough in order to have the necessary new fields presented into the Splunk Search Application.

As for the inputs.conf file, we have pre-defined the necessary information about the logs location and also the index which the information should be gathered into.

Here's a small sample just in case there is misconfiguration over there:
[monitor://E:\inWebo-Prod-Varn-4358\log\IWDS.log]
disabled = false
index = mfa_inwebo
sourcetype = iwdslog
host = BJKW1PZJFLTFA01
** the other logs are specified analogically into the same file

In order to create a relation between the deployment application which we have implemented and the Default Splunk Search Application, we have added the index configuration into the Default Search Application configuration inside the indexes.conf file:

[mfa_inwebo]
coldPath = $SPLUNK_DB/mfa_inwebo/colddb
enableDataIntegrityControl = 0
enableTsidxReduction = 0
homePath = $SPLUNK_DB/mfa_inwebo/db
maxTotalDataSizeMB = 512000
thawedPath = $SPLUNK_DB/mfa_inwebo/thaweddb
archiver.enableDataArchive = 0
bucketMerging = 0
bucketRebuildMemoryHint = 0
compressRawdata = 1
enableOnlineBucketRepair = 1
hotBucketStreaming.deleteHotsAfterRestart = 0
hotBucketStreaming.removeRemoteSlicesOnRoll = 0
hotBucketStreaming.reportStatus = 0
hotBucketStreaming.sendSlices = 0
metric.enableFloatingPointCompression = 1
metric.stubOutRawdataJournal = 1
minHotIdleSecsBeforeForceRoll = 0
rtRouterQueueSize =
rtRouterThreads =
selfStorageThreads =
suspendHotRollByDeleteQuery = 0
syncMeta = 1
tsidxWritingLevel =

The main goal is to have an independent deployment application which could be easily transferred to another Search Head and being searchable without additional configuration. That is why we did not define the deployment-app props.conf file into the props.conf of the Default Search Application.

The problem we are facing is that, we are not being able to visualize the field extractions into the Default Search Application - they are just not existent as they should be. The index is displayed, the source types are visible as well, all the log information which is necessary is available, but the custom fields are not present.

So do you notice any reason why the custom field extractions which are bolded are not displayed into the search results ?

I hope the information brings enough clarification, if not I am ready to provide additional resources.

Thank you very much for your cooperation and support in advance.

Nikola Atanasov

Labels (1)
0 Karma
Get Updates on the Splunk Community!

Now Available: Cisco Talos Threat Intelligence Integrations for Splunk Security Cloud ...

At .conf24, we shared that we were in the process of integrating Cisco Talos threat intelligence into Splunk ...

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Easily Improve Agent Saturation with the Splunk Add-on for OpenTelemetry Collector

Agent Saturation What and Whys In application performance monitoring, saturation is defined as the total load ...