Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Why am I getting error "In handler 'props-extract'...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
I had created some custom fields in my original Splunk Install, then I installed on a new server. I'm trying to migrate the custom fields I created. To try to save some time, I copied the props.conf file over to $Splunkhome\etc\users\admin\search\local. Splunk wasn't picking up on the new fields, so I tried adding them myself manually through the web interface. When I save, I get this message
In handler 'props-extract': Data could not be written:
Does anyone know why it says this, and how can I create my fields to extract?
Thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You probably copied the file as user root but Splunk is running as a lesser-priviliged user (e.g. splunk) which does not have permission to write to the file. You nee to do a chown to match the user running splunk or chmod to allow others to write to the file.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You probably copied the file as user root but Splunk is running as a lesser-priviliged user (e.g. splunk) which does not have permission to write to the file. You nee to do a chown to match the user running splunk or chmod to allow others to write to the file.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I should have stated that I am running on Windows Server 2012, but you pointed me in a good direction with the security permissions anyways. After some fiddling around, my field extractions are now being saved and extracted without errors
Thanks!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
For our poor Windows users, do spell out exactly what commands you used to fix it.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ok, here's what I did:
On the server, I gave full control of $Splunk_home to the Everyone user group. (Shotgun approach)
On the web interface, on the save screen for the field extraction, I clicked the All Apps button on the Permissions row, (Owner had been selected by default). This showed a table of users with columns for name, read permissions, and write permissions. There was a line for the user group Everyone, I checked the Write Permissions box, and I was able to save.
I'm hesitant to advertise it because it's not practicing the tightest security and could use some fine tuning, but I'm on a private network so security is not a big concern for me at the moment, and it works (or seems to)
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Monitoring AI Agents with Splunk Observability Cloud
[Puzzles] Solve, Learn, Repeat: Tiling
SOK it to Me: Top 3 Benefits of Using Splunk Operator on Kubernetes that’ll Make ...
