- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
I had created some custom fields in my original Splunk Install, then I installed on a new server. I'm trying to migrate the custom fields I created. To try to save some time, I copied the props.conf file over to $Splunkhome\etc\users\admin\search\local. Splunk wasn't picking up on the new fields, so I tried adding them myself manually through the web interface. When I save, I get this message
In handler 'props-extract': Data could not be written:
Does anyone know why it says this, and how can I create my fields to extract?
Thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You probably copied the file as user root but Splunk is running as a lesser-priviliged user (e.g. splunk) which does not have permission to write to the file. You nee to do a chown to match the user running splunk or chmod to allow others to write to the file.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You probably copied the file as user root but Splunk is running as a lesser-priviliged user (e.g. splunk) which does not have permission to write to the file. You nee to do a chown to match the user running splunk or chmod to allow others to write to the file.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I should have stated that I am running on Windows Server 2012, but you pointed me in a good direction with the security permissions anyways. After some fiddling around, my field extractions are now being saved and extracted without errors
Thanks!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
For our poor Windows users, do spell out exactly what commands you used to fix it.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ok, here's what I did:
On the server, I gave full control of $Splunk_home to the Everyone user group. (Shotgun approach)
On the web interface, on the save screen for the field extraction, I clicked the All Apps button on the Permissions row, (Owner had been selected by default). This showed a table of users with columns for name, read permissions, and write permissions. There was a line for the user group Everyone, I checked the Write Permissions box, and I was able to save.
I'm hesitant to advertise it because it's not practicing the tightest security and could use some fine tuning, but I'm on a private network so security is not a big concern for me at the moment, and it works (or seems to)
