I have certain logs which is indexed correctly. Field extraction using props.conf and transforms.conf works correctly when I am searching within the indexer. However, when I am copying the same set of props and transforms file to the searchhead, field extraction does not work.
I have put props and transforms under .../ets/apps/search/local in the searchead and trying to search within the apps search. Looks like seems something else is taking precedence.
I am just searching
sourcetype=cf
there is only one type of data in that index.
My question is, is there a way to find which props and/or transforms file applied to a specific sourcetype?
I tried the following command
splunk cmd btool --app=search props list
which shows the following output
[cf]
DATETIME_CONFIG =
FIELDALIAS-src = c_ip AS src
KV_MODE = none
MAX_TIMESTAMP_LOOKAHEAD = 20
NO_BINARY_CHECK = true
REPORT-cfx = kv_for_cf
SHOULD_LINEMERGE = True
TRANSFORMS-sourcetype = nullPound
category = Web
description = AWS cloudfront logs
pulldown_type = true
[cisco_wsa_squid]
EVAL-MB = sc_bytes/(1024*1024)
[ironport_proxy]
[splunk_web_service]
EXTRACT-useragent = userAgent=(?P[^ (]+)
[splunkd]
EXTRACT-fields = (?i)^(?:[^ ]* ){2}(?:[+\-]\d+ )?(?P[^ ]*)\s+(?P[^ ]+) - (?P.+)
↧