- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Search Time field extractions not working when...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I decided to take some of the work I've been doing and move it into an app.
I haven't made any UI changes at this point. I'm simply moving my inputs, transforms, and props into an app directory tree.
My field extractions were defined previously in etc/users/username/search/local/props.conf
I moved them into the equivalent stanzas in etc/apps/appname/local/props.conf.
I restarted splunk and performed a quick search to verify that the fields were still present in search results but they are not.
EDIT:
As part of troubleshooting, I moved the index I was using to the etc/apps/appname/local/indexes.conf, and restarted splunkd but that did not resolve my problem.
I do see the field extractions listed under my App Context.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Where you put your indexes will not matter. Neither will your inputs. Both of those conf files deal with index-time work.
Field extractions are used at search time. So the question is -
Where are the searches and eventtypes and tags and whatever else that use the field extractions?
What are the permissions of the field extractions?
If the field extractions are private to the new app and the searches, etc. are in a different app, then you won't see the field extractions.
Note: you do not need to restart Splunk to see/update changes to your field extractions. It should be sufficient simply to run a new search.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Adding my own partial answer here...
When I created my first view for the app, the field extractions became visible within the app context. (I defined the XML in http://splunkserver/en-US/manager/launcher/data/ui/views then set the app to visible in http://splunkserver/en-US/manager/search/apps/local then changed context by going into Apps->MyApp from the top left menu)
The field extractions are no longer visible in the default view.
I suppose that makes sense, but I do wonder about the purpose in defining a view-less application. There may be a way to shift your app context without opening up an app, but it is not apparent to me.
My basic view definition is as follows.
<view>
<label>Basic Search View</label>
<!-- top nav chrome -->
<module name="AccountBar" layoutPanel="appHeader"/>
<module name="AppBar" layoutPanel="navigationHeader"/>
<!-- This module renders the search box -->
<module name="SearchBar" layoutPanel="mainSearchControls">
<module name="EventsViewer"/>
</module><!-- close SearchBar module -->
</view>
I'm leaving this as unanswered for the time being in hopes that someone might provide a more complete answer, but if not this should be a reasonable starting point for the next person in my shoes.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
looks like while I was typing this out @Iguinn came in with the extra information I was missing.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Where you put your indexes will not matter. Neither will your inputs. Both of those conf files deal with index-time work.
Field extractions are used at search time. So the question is -
Where are the searches and eventtypes and tags and whatever else that use the field extractions?
What are the permissions of the field extractions?
If the field extractions are private to the new app and the searches, etc. are in a different app, then you won't see the field extractions.
Note: you do not need to restart Splunk to see/update changes to your field extractions. It should be sufficient simply to run a new search.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Now that you've shown me the light, I found this answer very helpful: http://answers.splunk.com/answers/86/how-do-i-share-all-of-the-field-extractions-defined-in-a-given-...
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have not yet moved my searches, eventtypes, and tags into the app, so that's my first problem - I was simply executing a search from the search and reporting app.
I defined the extractions by directly writing to props.conf and I did not edit permissions. I see now when I edit permissions that I can make them visible to all apps or just specific to my app. I think that was the key setting that I was missing.
Announcing Scheduled Export GA for Dashboard Studio
Extending Observability Content to Splunk Cloud
More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!
