Splunk Search

When is props.conf applied for search-time field extraction?

Motivator

We have a setup where Universal Forwarders send data to indexers and dedicated search heads search those indexers.
There is a lookup in $SPLUNKHOME/etc/system/lookups which is used in $SPLUNKHOME/etc/search/local/props.conf $SPLUNK_HOME/etc/search/local/transforms.conf that adds some fields to all events in Splunk (I moved props.conf and transforms.conf from system/local to the search app because I got errors when searching internal indexes on the search heads)

props.conf

[default]
LOOKUP-table = my_lookup IP_NAME AS host

transforms.conf

[my_lookup]
filename = mylist.csv
max_matches = 1

When I search, the fields correctly show up in the list of events in the flashtimeline view. But if I try to use one of the custom fields in my search not all of the events show up:

index="x" myOwnField=value earliest=07/28/2011:09:50:0 latest=07/28/2011:09:55:0

If I pipe the results through another search command and use my custom fields in the second search I get the results i expect:

index="x" earliest=07/28/2011:09:50:0 latest=07/28/2011:09:55:0 | search myOwnField=value

Has anyone else run across similar behaviour?

0 Karma

Esteemed Legend
0 Karma