Splunk Search

Why am I getting error "In handler 'props-extract': Data could not be written:" after configuring extractions for custom fields?

_dave_b
Communicator

Hello,

I had created some custom fields in my original Splunk Install, then I installed on a new server. I'm trying to migrate the custom fields I created. To try to save some time, I copied the props.conf file over to $Splunkhome\etc\users\admin\search\local. Splunk wasn't picking up on the new fields, so I tried adding them myself manually through the web interface. When I save, I get this message

In handler 'props-extract': Data could not be written:

Does anyone know why it says this, and how can I create my fields to extract?

Thanks

1 Solution

woodcock
Esteemed Legend

You probably copied the file as user root but Splunk is running as a lesser-priviliged user (e.g. splunk) which does not have permission to write to the file. You nee to do a chown to match the user running splunk or chmod to allow others to write to the file.

View solution in original post

woodcock
Esteemed Legend

You probably copied the file as user root but Splunk is running as a lesser-priviliged user (e.g. splunk) which does not have permission to write to the file. You nee to do a chown to match the user running splunk or chmod to allow others to write to the file.

_dave_b
Communicator

I should have stated that I am running on Windows Server 2012, but you pointed me in a good direction with the security permissions anyways. After some fiddling around, my field extractions are now being saved and extracted without errors

Thanks!

0 Karma

woodcock
Esteemed Legend

For our poor Windows users, do spell out exactly what commands you used to fix it.

0 Karma

_dave_b
Communicator

Ok, here's what I did:
On the server, I gave full control of $Splunk_home to the Everyone user group. (Shotgun approach)
On the web interface, on the save screen for the field extraction, I clicked the All Apps button on the Permissions row, (Owner had been selected by default). This showed a table of users with columns for name, read permissions, and write permissions. There was a line for the user group Everyone, I checked the Write Permissions box, and I was able to save.

I'm hesitant to advertise it because it's not practicing the tightest security and could use some fine tuning, but I'm on a private network so security is not a big concern for me at the moment, and it works (or seems to)

0 Karma
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Casting Call: Compete in Cyber Games

Lights, Camera, SecOps: Apply to Compete in Cyber Games     Think you have what it takes to beat the clock? ...

Data Management Digest – June 2026

Welcome to the June 2026 edition of Data Management Digest! This month’s update is short and sweet, with a ...

Think Like an Architect: Introducing the Splunk Certified Cybersecurity Defense ...

In cybersecurity, defenders respond to threats. Architects design the systems that stop them.    As ...