I haven't tested this thoroughly, but it finds errors with regexes in EXTRACT in nf and REGEX in nf (as of Splunk 6.1.1). If you see any output, then you have issues with one or more of your regexes. Run the splunk btool validate-regex command. (This tool checks for config names based on entries in the README/*.props.spec files) Sometimes these messages can be bogus, especially if you are using an undocumented feature. This isn't foolproof but can catch simple typos that could cause lots of frustration. You can get this list manually by running splunk btool check. These are display during startup by default. Splunk added a feature (back in the mid 4.x releases, I think) that reports basic configuration errors. Splunk checks for config errors at startup.However, this command is still useful when reloading index-time props and transforms search settings. conf files are normally available by just re-running your search. Since searches are kicked off in their own processes all the config file are re-read from the file system when the search process is launched. The | extract reload=T isn't generally necessary anymore.It will save you tons of time and frustration when on-boarding new data. I've run into a few weird corner cases with the tool where it doesn't accurately represent the indexing process but that's rare (and last time I had that problem was a few versions back). This is a bit more tricky when working with transformers. (That pretty much replaces the | file /path/to/sample/file approach which is noted below.) With the data preview tool you can test your nf settings interactively and immediately see if your settings are correct or not. Use the Data Preview tool whenever you can.Splunk has made some great changes that simplify troubleshooting this kind of problem since the early 4.x releases (which is when this answer was first written.) I don't have time for a full rewrite, but here are some highlights that I would expand upon if/when I get around do to a more thorough re-write. I should probably rewrite this answer completely. Nearly all of the config files are plural.) (If you put your config entries is nf (instead of nf), splunk will ignore them. Unless your props entries are exported, you probably will not get the results you are looking for.) This is especially difficult if you have nf settings in one app and then setup an nf in a different app.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |