Hi guys
I've defined my sourcetype, transforms and lookup in /opt/splunk/etc/system/local/props.conf and /opt/splunk/etc/system/local/transforms.conf (I set the lookup from the web interface).
Everything is working fine with the default Search and Reporting App.
After I created my customApp and if I perform the same search in the App, I can see the right source_type associated to my data but the regex that I defined in /opt/splunk/etc/system/local/transforms.conf is not applied.
Any suggestion?
Thanks
Most likely there's some config in the wrong place. Here's a start:
$SPLUNK_HOME/bin/splunk btool props list your_sourcetype --debug
$SPLUNK_HOME/bin/splunk btool transforms list your_transforms_or_lookup --debug
Check if all relevant settings are in the right place from Splunk's point of view. For more detailed help you'll need to share your config.
Most likely there's some config in the wrong place. Here's a start:
$SPLUNK_HOME/bin/splunk btool props list your_sourcetype --debug
$SPLUNK_HOME/bin/splunk btool transforms list your_transforms_or_lookup --debug
Check if all relevant settings are in the right place from Splunk's point of view. For more detailed help you'll need to share your config.
Feel free to elaborate what you did to fix and mark as accepted.
Thanks, this helped!