I ingested a CSV into our dev environment, had it create the props stanza with the field extractions I wanted, and copied this over into our prod props.conf.
This works as expected in dev; I can reliably add more logs that it picks up the fields on and does the extracts correctly. When the logs are ingested in prod, however, the source type is picked up but the extracts aren't being done. I open up the Source Types UI in both environments and they're identical.
These are both using 6.4.3 (we're upgrading soon), and Splunk is not barking at me on restart that there are errors in my conf files. The only difference in environments is that dev is a standalone all-in-one, and prod is clustered search heads and non-clustered indexers.
Stanza that was created in dev below:
[obfuscated_stanza]
DATETIME_CONFIG =
FIELD_NAMES = Timestamp,Method,Timing,TransactionID,TrackingNumber,TransactionName,processID,threadID
INDEXED_EXTRACTIONS = csv
KV_MODE = none
NO_BINARY_CHECK = true
SHOULD_LINEMERGE = false
category = Custom
disabled = false
pulldown_type = true
↧