Splunk Search

Why am I getting error "In handler 'props-extract': Data could not be written:" after configuring extractions for custom fields?

_dave_b
Communicator

Hello,

I had created some custom fields in my original Splunk Install, then I installed on a new server. I'm trying to migrate the custom fields I created. To try to save some time, I copied the props.conf file over to $Splunkhome\etc\users\admin\search\local. Splunk wasn't picking up on the new fields, so I tried adding them myself manually through the web interface. When I save, I get this message

In handler 'props-extract': Data could not be written:

Does anyone know why it says this, and how can I create my fields to extract?

Thanks

1 Solution

woodcock
Esteemed Legend

You probably copied the file as user root but Splunk is running as a lesser-priviliged user (e.g. splunk) which does not have permission to write to the file. You nee to do a chown to match the user running splunk or chmod to allow others to write to the file.

View solution in original post

woodcock
Esteemed Legend

You probably copied the file as user root but Splunk is running as a lesser-priviliged user (e.g. splunk) which does not have permission to write to the file. You nee to do a chown to match the user running splunk or chmod to allow others to write to the file.

View solution in original post

_dave_b
Communicator

I should have stated that I am running on Windows Server 2012, but you pointed me in a good direction with the security permissions anyways. After some fiddling around, my field extractions are now being saved and extracted without errors

Thanks!

0 Karma

woodcock
Esteemed Legend

For our poor Windows users, do spell out exactly what commands you used to fix it.

0 Karma

_dave_b
Communicator

Ok, here's what I did:
On the server, I gave full control of $Splunk_home to the Everyone user group. (Shotgun approach)
On the web interface, on the save screen for the field extraction, I clicked the All Apps button on the Permissions row, (Owner had been selected by default). This showed a table of users with columns for name, read permissions, and write permissions. There was a line for the user group Everyone, I checked the Write Permissions box, and I was able to save.

I'm hesitant to advertise it because it's not practicing the tightest security and could use some fine tuning, but I'm on a private network so security is not a big concern for me at the moment, and it works (or seems to)

0 Karma
.conf21 CFS Extended through 5/20!

Don't miss your chance
to share your Splunk
wisdom in-person or
virtually at .conf21!

Call for Speakers has
been extended through
Thursday, 5/20!