Splunk Search

Search app doesn't recognise the transformed search

rahiparikh
Explorer

Hi,

I tried to tansform unix app's data something like this --

[transforms.conf]

[df]
REGEX = ([^\s]+)\s+([^\s]+)\s+([^\s]+)\s+([^\s]+)\s+([^\s]+)\s+([0-9]+)%\s+([^\s]+)
MV_ADD = true
FORMAT = filesystem::$1 type::$2 size::$3 used::$4 avail::$5 usepct::$6 mountedon::$7

[props.conf]

[df]
REPORT-df_field_extraction = df

Now, I am searching following in search app --

index=os sourcetype="df" usepct>20

This should give me information of all the disks that are used more than 20% full but instead it gives me nothing. Any help will be appreciated.


--Edit--


As requested, the output of df command is --

Filesystem     Type     Size     Used     Avail     UsePct     MountedOn
/dev/sda1      ext3      99M      20M       75M        21%     /boot

Thanks!

0 Karma

woodcock
Esteemed Legend

It shouldn't really make a difference but MV_ADD = true is wrong so just get rid of the whole line and try again.

0 Karma

rahiparikh
Explorer

@bbingham - Thanks for your help! I modified search app's config files and I am searching in context of search app only. I am using unix app to generate this data and nothing else. Also, the output of df command is the way event looks when searched in splunk.

0 Karma

bbingham
Builder

I just noticed you're using the search app, but you modified the unix app file, or did you copy these settings to the search app? Incase you missed, can you also post what the event looks like in splunk.

If you modified the transforms only in the unix app, they may be app specific and you may need to globalize your configuration files.

0 Karma

rahiparikh
Explorer

Hi, I have posted the output for that search.

0 Karma

Drainy
Champion

and also how the actual event looks within Splunk (assuming it is being indexed, try a search for the time the script executed)

0 Karma

bbingham
Builder

Can you post the output of the DF command you are using in the scripted inputs?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...