https://community.splunk.com/t5/Getting-Data-In/Splunk-indexing-using-everyother-fieldname/m-p/193713#M38602 <P>removing the space from my DELIMS stanza fixes one problem but then because my data is quoted and separated by commas the data is coming into Splunk with the quotes. This causes me to have to use a escape character to run any search. For example: </P> <P>levelname="\"[INFO]\"" </P> <P>This is how I would have to run a search</P> Mon, 06 Jan 2014 15:35:01 GMT JoeSco27 2014-01-06T15:35:01Z https://community.splunk.com/t5/Getting-Data-In/Splunk-indexing-using-everyother-fieldname/m-p/193708#M38597 <P>I am running into an issue with my transforms and props config files, my data is being logged properly to my index but when I set my fields in the transforms.conf it only takes everyother fieldname. Below are my transforms.conf stanza with the work-around I have implemented and my props.conf, clearly this is a bad method and i am trying to figure out why splunk would be taking everyother fieldname </P> <H2>transforms.conf</H2> <PRE><CODE> [mySourcetype] DELIMS = ", " FIELDS = "timestamp", "", "levelname", "", "someid", "", "somecode", "", "someothercode", "", "someotherid" </CODE></PRE> <P>That empty double bracket is the only way for my logs to be formatted properly. </P> <H2>props.conf</H2> <PRE><CODE> [mySourcetype] TRUNCATE = 0 MAX_EVENTS = 10000 MAX_TIMESTAMP_LOOKAHEAD = 60 SHOULD_LINEMERGE = false TIME_FORMAT = %Y-%m-%d %H:%M:%S REPORT-mySourcetype = mySourcetype BREAK_ONLY_BEFORE = TIMESTAMP KV_MODE = auto given_type = csv </CODE></PRE> Thu, 02 Jan 2014 15:35:42 GMT https://community.splunk.com/t5/Getting-Data-In/Splunk-indexing-using-everyother-fieldname/m-p/193708#M38597 JoeSco27 2014-01-02T15:35:42Z https://community.splunk.com/t5/Getting-Data-In/Splunk-indexing-using-everyother-fieldname/m-p/193709#M38598 <P>Please provide an example of your data.</P> Thu, 02 Jan 2014 16:11:21 GMT https://community.splunk.com/t5/Getting-Data-In/Splunk-indexing-using-everyother-fieldname/m-p/193709#M38598 richgalloway 2014-01-02T16:11:21Z https://community.splunk.com/t5/Getting-Data-In/Splunk-indexing-using-everyother-fieldname/m-p/193710#M38599 <P>I can't replicate your issue. The empty double bracket should not be an issue. What version are you running?<BR /> Can you post an obfuscated data sample?</P> Thu, 02 Jan 2014 17:30:57 GMT https://community.splunk.com/t5/Getting-Data-In/Splunk-indexing-using-everyother-fieldname/m-p/193710#M38599 jharty_splunk 2014-01-02T17:30:57Z https://community.splunk.com/t5/Getting-Data-In/Splunk-indexing-using-everyother-fieldname/m-p/193711#M38600 <P>It looks like you have both a comma and a space in your <CODE>DELIMS</CODE></P> <PRE><CODE>DELIMS = ", " </CODE></PRE> <P>So you are telling Splunk that both a comma and a space are a delimiter. If your data looks like this</P> <PRE><CODE>Mary, 12345, Utah Pat, 98765, Virginia </CODE></PRE> <P>Then perhaps Splunk is seeing the data like this</P> <PRE><CODE>Mary&lt;delim&gt;null&lt;delim&gt;12345&lt;delim&gt;null&lt;delim&gt;Utah etc. </CODE></PRE> <P>Try<BR /> DELIMS = ","</P> <P>Also, as others have suggested, a sample of your data would also be very helpful.</P> Fri, 03 Jan 2014 02:04:36 GMT https://community.splunk.com/t5/Getting-Data-In/Splunk-indexing-using-everyother-fieldname/m-p/193711#M38600 lguinn2 2014-01-03T02:04:36Z https://community.splunk.com/t5/Getting-Data-In/Splunk-indexing-using-everyother-fieldname/m-p/193712#M38601 <P>A sample bit of my data looks like this:</P> <P>"2014-01-06 10:22:19", "[INFO]", "SomeID", "ABCD", "EFGH", "1234"</P> <P>"2014-01-06 10:22:19", "[DEBUG]", "SomeOtherID", "AAAA", "BBBB", "ABABA"</P> Mon, 06 Jan 2014 15:31:50 GMT https://community.splunk.com/t5/Getting-Data-In/Splunk-indexing-using-everyother-fieldname/m-p/193712#M38601 JoeSco27 2014-01-06T15:31:50Z https://community.splunk.com/t5/Getting-Data-In/Splunk-indexing-using-everyother-fieldname/m-p/193713#M38602 <P>removing the space from my DELIMS stanza fixes one problem but then because my data is quoted and separated by commas the data is coming into Splunk with the quotes. This causes me to have to use a escape character to run any search. For example: </P> <P>levelname="\"[INFO]\"" </P> <P>This is how I would have to run a search</P> Mon, 06 Jan 2014 15:35:01 GMT https://community.splunk.com/t5/Getting-Data-In/Splunk-indexing-using-everyother-fieldname/m-p/193713#M38602 JoeSco27 2014-01-06T15:35:01Z https://community.splunk.com/t5/Getting-Data-In/Splunk-indexing-using-everyother-fieldname/m-p/193714#M38603 <P>A backslash between first set of double quotes, and backslash before second pair.</P> Mon, 06 Jan 2014 15:35:59 GMT https://community.splunk.com/t5/Getting-Data-In/Splunk-indexing-using-everyother-fieldname/m-p/193714#M38603 JoeSco27 2014-01-06T15:35:59Z https://community.splunk.com/t5/Getting-Data-In/Splunk-indexing-using-everyother-fieldname/m-p/193715#M38604 <P>In <CODE>props.conf</CODE>, I think you should set </P> <P>KV_MODE = none</P> <P>since you are explicitly extracting the fields in <CODE>transforms.conf</CODE> - And Very Important:<BR /> YOU SHOULD NOT SET <CODE>given_type</CODE>, so remove</P> <P>given_type = csv</P> Mon, 06 Jan 2014 22:01:18 GMT https://community.splunk.com/t5/Getting-Data-In/Splunk-indexing-using-everyother-fieldname/m-p/193715#M38604 lguinn2 2014-01-06T22:01:18Z