This is a weird one. I uploaded some data one time and I set the sourcetype to "MyStuff" and dropped it into my test index.

I search for: index=test sourcetype=MyStuff and all the data comes back. No problem so far. I do notice that the data is being k=v parsed, which I think is from the default settings in the systems/default/props.conf file. That's ok. (I have data with = in it, like FOO = BAR, and Splunk makes FOO the name with BAR the value).

I make a new app in etc/app/MyApp with a props and transforms file.

In props.conf:

[MyStuff]
REPORT-do_something = mystuff-parse

In transforms.conf:

[mystuff-parse]
REGEX = ^(\S+)
FORMAT = some_variable::$1

That's it.

I go back to my search and enter: index=test sourcetype=MyStuff | extract reload=T

Now I go back to my data and nothing has happened. I don't see my some_variable anywhere. I even reboot, without any results.

After banging my head against a wall for a while, I move all my logic into system/local/props.conf and transforms.conf, and re-run my search. All of a sudden my some_variable appears.

I have other apps on this box, so I run the btool on my props file to make sure my sourcetype MyStuff is unique, and it is. I make sure my REPORT-do_something is unique, and it is. I then run the btool against my transforms to make sure my stanza mystuff-parse is unique, and it is.

So how do I go about seeing what exactly is happening to my data when I run that search? It's never making it to my app in etc/app, but the logic works in system/local. Any ideas? I'm about to pull an Office Space on this box.

PS. Yes the permissions are correct on the directory and files.

UPDATE:

Fix was to make the app global so the Search App in the GUI could see/use it.

I added the metadata director with the file default.meta in it.

The file looks like:

[ ]
access = read : [ * ], write : [ admin ]
export = global