topic Re: I want to parse the below structured data. I want only second and third field to get indexed and rest to be discarded. I am using the below configuration: in Getting Data In

I want to parse the below structured data. I want only second and third field to get indexed and rest to be discarded. I am using the below configuration:

umeshagarwal — Tue, 29 Sep 2020 12:27:24 GMT

Output should have only have only field FIELD2 & FIELD3 data.

Inputs.conf
[monitor://C:\testauths*.txt]
index=main
sourcetype=mytestdata

props.conf
[mytestdata]
CHARSET=AUTO
DATETIME_CONFIG=CURRENT
INDEXED_EXTRACTIONS=csv
SHOULD_LINEMERGE=false
disabled=false
pulldown_type=true
FIELD_DELIMITER=|
HEADER_FIELD_LINE_NUMBER=0
REPORT-fields = getLogData

transforms.conf
[getLogData]
DELIMS = "|"
FIELDS= "",FIELD2,FIELD3,""

I am sure somewhere i am making mistake.

Re: I want to parse the below structured data. I want only second and third field to get indexed and rest to be discarded. I am using the below configuration:

DalJeanis — Tue, 17 Jan 2017 17:58:16 GMT

Do you want them indexed, or extracted at search time?

Re: I want to parse the below structured data. I want only second and third field to get indexed and rest to be discarded. I am using the below configuration:

DalJeanis — Tue, 17 Jan 2017 18:31:36 GMT

Here's some things that I'd try, one at a time -

A) change to INDEXED_EXTRACTIONS=psv.
(This may not help but should not hurt.)

B) change namespace from REPORT-fields to REPORT-search or REPORT-yourappname.
(This is my best guess of the real issue.)

C) remove pulldown_type clause
(In the admin manual, it says # NOT YOURS. DO NOT SET.)

D) remove disabled clause
(I don't find it in the admin manual for that stanza.)

Re: I want to parse the below structured data. I want only second and third field to get indexed and rest to be discarded. I am using the below configuration:

umeshagarwal — Wed, 18 Jan 2017 11:16:02 GMT

I want to them to be indexed.

Re: I want to parse the below structured data. I want only second and third field to get indexed and rest to be discarded. I am using the below configuration:

umeshagarwal — Wed, 18 Jan 2017 11:41:12 GMT

Tried with the above changes but now I am not getting any data indexed.

Re: I want to parse the below structured data. I want only second and third field to get indexed and rest to be discarded. I am using the below configuration:

DalJeanis — Sun, 22 Jan 2017 03:56:30 GMT

which change caused the data to stop indexing?

Re: I want to parse the below structured data. I want only second and third field to get indexed and rest to be discarded. I am using the below configuration:

umeshagarwal — Thu, 02 Feb 2017 14:44:43 GMT

After restarting splunk all data are getting indexed rather than the two fields.

Re: I want to parse the below structured data. I want only second and third field to get indexed and rest to be discarded. I am using the below configuration:

PramodhKumar — Sun, 08 Mar 2020 11:19:40 GMT

Hi @umeshagarwal008

You can use field transformations in props, TRANSFORMS-q=nq
then in transforms.conf
[nq]
REGEX=CHINA.* | NEPAL.*
FORMAT=queue
DEST_KEY=nullQueue

hope this helps..

Regards,
Pramodh