topic Indexing a syslog file - doesnt give expected output in Getting Data In https://community.splunk.com/t5/Getting-Data-In/Indexing-a-syslog-file-doesnt-give-expected-output/m-p/187988#M37530 <P>Raw Logs:</P> <PRE><CODE>Fri Mar 14 11:16:16 2014$SERVICEALERT$HOST1$SERVICE1$OK$PROCS OK: 1 process OK Fri Mar 14 11:17:11 2014$HOSTALERT$HOST2$SERVICE2$WARNING$PROCS OK: 1 process WARNING Fri Mar 14 11:18:12 2014$HOSTEALERT$HOST3$SERVICE3$OK$PROCS OK: 1 process OK Fri Mar 14 11:19:14 2014$SERVICEALERT$HOST4$SERVICE4$CRITICAL$PROCS OK: 1 process CRITICAL </CODE></PRE> <P>I wanted to index the above _raw log with fields: "TIMESTAMP" ,"ALERTTYPE" ,"HOSTNAME" ,"SERVICENAME" ,"STATUS" ,"Description"</P> <P>I set the props.conf &amp; transforms.conf as below:</P> <P><STRONG>props.conf</STRONG></P> <PRE><CODE>[custom] REPORT-search = extract_custom SHOULD_LINEMERGE = false </CODE></PRE> <P><STRONG>transforms.conf</STRONG></P> <PRE><CODE>[custom] DEST_KEY = MetaData:Sourcetype FORMAT = sourcetype::custom [extract_custom] DELIMS = "$" FIELDS = "TIMESTAMP"$"ALERTTYPE"$"HOSTNAME"$"SERVICENAME"$"STATUS"$"Description" </CODE></PRE> <P>I couldn't get the exptected output , am i missing something?</P> Fri, 14 Mar 2014 11:47:17 GMT splunker12er 2014-03-14T11:47:17Z Indexing a syslog file - doesnt give expected output https://community.splunk.com/t5/Getting-Data-In/Indexing-a-syslog-file-doesnt-give-expected-output/m-p/187988#M37530 <P>Raw Logs:</P> <PRE><CODE>Fri Mar 14 11:16:16 2014$SERVICEALERT$HOST1$SERVICE1$OK$PROCS OK: 1 process OK Fri Mar 14 11:17:11 2014$HOSTALERT$HOST2$SERVICE2$WARNING$PROCS OK: 1 process WARNING Fri Mar 14 11:18:12 2014$HOSTEALERT$HOST3$SERVICE3$OK$PROCS OK: 1 process OK Fri Mar 14 11:19:14 2014$SERVICEALERT$HOST4$SERVICE4$CRITICAL$PROCS OK: 1 process CRITICAL </CODE></PRE> <P>I wanted to index the above _raw log with fields: "TIMESTAMP" ,"ALERTTYPE" ,"HOSTNAME" ,"SERVICENAME" ,"STATUS" ,"Description"</P> <P>I set the props.conf &amp; transforms.conf as below:</P> <P><STRONG>props.conf</STRONG></P> <PRE><CODE>[custom] REPORT-search = extract_custom SHOULD_LINEMERGE = false </CODE></PRE> <P><STRONG>transforms.conf</STRONG></P> <PRE><CODE>[custom] DEST_KEY = MetaData:Sourcetype FORMAT = sourcetype::custom [extract_custom] DELIMS = "$" FIELDS = "TIMESTAMP"$"ALERTTYPE"$"HOSTNAME"$"SERVICENAME"$"STATUS"$"Description" </CODE></PRE> <P>I couldn't get the exptected output , am i missing something?</P> Fri, 14 Mar 2014 11:47:17 GMT https://community.splunk.com/t5/Getting-Data-In/Indexing-a-syslog-file-doesnt-give-expected-output/m-p/187988#M37530 splunker12er 2014-03-14T11:47:17Z Re: Indexing a syslog file - doesnt give expected output https://community.splunk.com/t5/Getting-Data-In/Indexing-a-syslog-file-doesnt-give-expected-output/m-p/187989#M37531 <P>I got the answer:</P> <P>I made a mistake in <STRONG>transforms.conf</STRONG> - Below is the corercted one. ',' and not '$'</P> <PRE><CODE>[custom] DEST_KEY = MetaData:Sourcetype FORMAT = sourcetype::custom [extract_custom] DELIMS = "$" FIELDS = "TIMESTAMP","ALERTTYPE","HOSTNAME","SERVICENAME","STATUS","Description" </CODE></PRE> Fri, 14 Mar 2014 11:50:15 GMT https://community.splunk.com/t5/Getting-Data-In/Indexing-a-syslog-file-doesnt-give-expected-output/m-p/187989#M37531 splunker12er 2014-03-14T11:50:15Z