Getting Data In

Not indexing new fields in new app

atelesca
Explorer

Hello,
I am new in Splunk and I am trying to create new fields at index time in a new app I created.
I would like to understand if the procedure I am following is the correct one.
I have a data input specified under $SPLUNK_HOME/etc/apps/test_1/default/inputs.conf as:

[script:///opt/splunk/etc/apps/test_1/bin/vmstat.sh]
disabled = false
index = daq
interval = 60
source = memory
sourcetype = memory

This data is visible in the search of the app and it is correctly retrieved.
In $SPLUNK_HOME/etc/apps/test_1/default/transforms.conf I add the transform rule:

[vmstat_test]
REGEX = (\d+)\s+(\d+)\s+(\d+)\s+(\d+)\s+(\d+)\s+(\d+)\s+(\d+)\s+(\d+)\s+(\d+)\s+(\d+)\s+(\d+)\s+(\d+)\s+(\d+)\s+(\d+)\s+(\d+)\s+(\d+)\s+(\d+)\s+(\d+)
FORMAT = proc_waiting::$1 proc_unitsleep::$2 swap::$3 free::$4 inactive::$7 active::$8 swap_in::$9 swap_out::$10 blocks_in::$11 blocks_out::$12 interrupts::$13 contextswitch:$14 usermode::$15 kernelmode::$16 idle::$17 waiting::$18

and $SPLUNK_HOME/etc/apps/test_1/default/props.conf

[memory]
SHOULD_LINEMERGE=false
LINE_BREAKER=^()$
TRUNCATE=1000000
DATETIME_CONFIG = CURRENT
REPORTS-vmstat_test = vmstat_test

I restarted splunk but the fields do not appear.
If I check the configuration from the web interface I can see the new field extraction and transform. However, it does not seem they are applied.
Thanks for your help.
Cheers,
Adriana

Tags (1)
0 Karma

Ayn
Legend

Before any troubleshooting begins: why are you creating fields at index-time? Do you have a good reason for doing so? New users to Splunk often instinctively think creating index-time fields is a good way of boosting performance - in reality it is most often rather the opposite. Creating index-time fields should only be done if you really know what you're doing and have a very good reason for doing so instead of creating a search-time extraction.

EDIT: So, looking a bit more at your question it seems my little rant is not entirely needed - you're talking about index-time extractions, but the extraction you've almost created is a search-time extraction. You have an error in your props.conf: it's REPORT, not REPORTS.

0 Karma

Ayn
Legend

In which app do you check this in the web GUI? search? By default, knowledge objects (such as extracted fields) are only valid within the context of their own app, so in order to use field extractions from your test_1 app you need to make those extractions global. This could be done via the manager in the gui or by adding/editing the default.meta file in the app's metadata directory. In the latter case, the file should look something like this:

[ ]
access = read : [ * ], write : [ admin ]
export = global
0 Karma

atelesca
Explorer

Thanks for your answer. Indeed, it is a search-time extraction.
I changed the typo in REPORT-vmstat_test and restarted Splunk. The fields still don't appear. Are there additional things I should do?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...