This is a weird one. I uploaded some data one time and I set the sourcetype to "MyStuff" and dropped it into my test index.
I search for: index=test sourcetype=MyStuff and all the data comes back. No problem so far. I do notice that the data is being k=v parsed, which I think is from the default settings in the systems/default/props.conf file. That's ok. (I have data with = in it, like FOO = BAR, and Splunk makes FOO the name with BAR the value).
I make a new app in etc/app/MyApp with a props and transforms file.
In props.conf:
[MyStuff]
REPORT-do_something = mystuff-parse
In transforms.conf:
[mystuff-parse]
REGEX = ^(\S+)
FORMAT = some_variable::$1
That's it.
I go back to my search and enter: index=test sourcetype=MyStuff | extract reload=T
Now I go back to my data and nothing has happened. I don't see my some_variable anywhere. I even reboot, without any results.
After banging my head against a wall for a while, I move all my logic into system/local/props.conf and transforms.conf, and re-run my search. All of a sudden my some_variable appears.
I have other apps on this box, so I run the btool on my props file to make sure my sourcetype MyStuff is unique, and it is. I make sure my REPORT-do_something is unique, and it is. I then run the btool against my transforms to make sure my stanza mystuff-parse is unique, and it is.
So how do I go about seeing what exactly is happening to my data when I run that search? It's never making it to my app in etc/app, but the logic works in system/local. Any ideas? I'm about to pull an Office Space on this box.
PS. Yes the permissions are correct on the directory and files.
UPDATE:
Fix was to make the app global so the Search App in the GUI could see/use it.
I added the metadata director with the file default.meta in it.
The file looks like:
[ ]
access = read : [ * ], write : [ admin ]
export = global
... View more