Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Is there a way to find which props.conf and/or transforms.conf file is applied to a specific sourcetype for search-time field extractions?

ashabc
Contributor
‎11-21-2015 03:51 AM

I have certain logs which are indexed correctly. Field extraction using props.conf and transforms.conf works correctly when I am searching within the indexer. However, when I am copying the same set of props and transforms file to the search head, field extraction does not work.

I have put props and transforms under .../ets/apps/search/local in the search head and trying to search within the apps search. Looks like seems something else is taking precedence.

I am just searching:

sourcetype=cf

There is only one type of data in that index.

My question is, is there a way to find which props and/or transforms file applied to a specific sourcetype?

I tried the following command

splunk cmd btool --app=search props list

which shows the following output

[cf]
DATETIME_CONFIG =
FIELDALIAS-src = c_ip AS src
KV_MODE = none
MAX_TIMESTAMP_LOOKAHEAD = 20
NO_BINARY_CHECK = true
REPORT-cfx = kv_for_cf
SHOULD_LINEMERGE = True
TRANSFORMS-sourcetype = nullPound
category = Web
description = AWS cloudfront logs
pulldown_type = true
[cisco_wsa_squid]
EVAL-MB = sc_bytes/(1024*1024)
[ironport_proxy]
[splunk_web_service]
EXTRACT-useragent = userAgent=(?P<browser>[^ (]+)
[splunkd]
EXTRACT-fields = (?i)^(?:[^ ]* ){2}(?:[+\-]\d+ )?(?P<log_level>[^ ]*)\s+(?P<component>[^ ]+) - (?P<message>.+)
0 Karma
Reply

sowings
Splunk Employee
Splunk Employee
‎07-29-2016 03:34 PM

The btool invocation you've used is focused only upon the contents of the "search" app. There are some default behaviors that may be shining through from the base package install. Let me instead suggest splunk cmd btool props list sc --debug. This says "show me the (merged) contents of 'props(.conf)' for stanzas (sourcetypes) starting with 'sc' and show me exactly where the config came from."

Reply
Get Updates on the Splunk Community!

Splunk Mobile: Your Brand-New Home Screen

Meet Your New Mobile Hub  Hello Splunk Community!  Staying connected to your data—no matter where you are—is ...

Introducing Value Insights (Beta): Understand the Business Impact your organization ...

Real progress on your strategic priorities starts with knowing the business outcomes your teams are delivering ...

Enterprise Security (ES) Essentials 8.3 is Now GA — Smarter Detections, Faster ...

As of today, Enterprise Security (ES) Essentials 8.3 is now generally available, helping SOC teams simplify ...