https://community.splunk.com/t5/Getting-Data-In/CSV-field-extraction-on-a-deployed-app/m-p/51476#M9883 <P>Here you go. I just modified some text for privacy, but otherwise structure is the same. Some of the characters like colons and slashes get stripped. <BR /> <CODE><BR /> "4/27/2012 1:37:45 PM","71642","71638","VmMacAssignedEvent","IIGCF\lus3","USLAB1","Management","uslab1esxi05.domain.com","FreeBSD",,,,"New MAC address (00:50:56:99:77:90) assigned to adapter c3 88 19 50 5c f5 fa 1a-51 58 6c b7 84 16 7a 90 for FreeBSD"</CODE></P> Tue, 15 May 2012 01:51:54 GMT virtualpony 2012-05-15T01:51:54Z https://community.splunk.com/t5/Getting-Data-In/CSV-field-extraction-on-a-deployed-app/m-p/51474#M9881 <P>I have a app that is deployed on a host that polls a csv file. I can get data in to the Splunk indexer, but it does not recognize the fields as described in the transforms.conf file located in the apps default directory. Here is what I have.</P> <BLOCKQUOTE> <P>C:\Program<BR /> Files\SplunkUniversalForwarder\etc\apps\vievents\default</P> </BLOCKQUOTE> <P>inputs.conf<CODE><BR /> [monitor://E:\Logs\vcenter\vievents.csv]<BR /> disabled = false<BR /> sourcetype = vievents_csv</CODE></P> <P>props.conf<CODE><BR /> [vievents_csv]<BR /> SHOULD_LINEMERGE = false<BR /> TRANSFORMS-vievents = vievents_extractions</CODE></P> <P>transforms.conf<CODE><BR /> [vievents_extractions]<BR /> DELIMS=","<BR /> FIELDS="CreatedTime","Key","ChainId","EventType","UserName","Datacenter","ComputeResource","Host","Vm","Ds","Net","Dvs","FullFormattedMessage"</CODE></P> <P>How do I get splunk to recognize the fields? Thanks.</P> Mon, 28 Sep 2020 11:49:06 GMT https://community.splunk.com/t5/Getting-Data-In/CSV-field-extraction-on-a-deployed-app/m-p/51474#M9881 virtualpony 2020-09-28T11:49:06Z https://community.splunk.com/t5/Getting-Data-In/CSV-field-extraction-on-a-deployed-app/m-p/51475#M9882 <P>Could you post an example row from the raw data?</P> Tue, 15 May 2012 01:48:06 GMT https://community.splunk.com/t5/Getting-Data-In/CSV-field-extraction-on-a-deployed-app/m-p/51475#M9882 dbryan 2012-05-15T01:48:06Z https://community.splunk.com/t5/Getting-Data-In/CSV-field-extraction-on-a-deployed-app/m-p/51476#M9883 <P>Here you go. I just modified some text for privacy, but otherwise structure is the same. Some of the characters like colons and slashes get stripped. <BR /> <CODE><BR /> "4/27/2012 1:37:45 PM","71642","71638","VmMacAssignedEvent","IIGCF\lus3","USLAB1","Management","uslab1esxi05.domain.com","FreeBSD",,,,"New MAC address (00:50:56:99:77:90) assigned to adapter c3 88 19 50 5c f5 fa 1a-51 58 6c b7 84 16 7a 90 for FreeBSD"</CODE></P> Tue, 15 May 2012 01:51:54 GMT https://community.splunk.com/t5/Getting-Data-In/CSV-field-extraction-on-a-deployed-app/m-p/51476#M9883 virtualpony 2012-05-15T01:51:54Z https://community.splunk.com/t5/Getting-Data-In/CSV-field-extraction-on-a-deployed-app/m-p/51477#M9884 <P>So, do you have these props.conf / transforms.conf settings on the indexer? Or just the host that the data is read from?</P> Tue, 15 May 2012 05:16:42 GMT https://community.splunk.com/t5/Getting-Data-In/CSV-field-extraction-on-a-deployed-app/m-p/51477#M9884 Ayn 2012-05-15T05:16:42Z https://community.splunk.com/t5/Getting-Data-In/CSV-field-extraction-on-a-deployed-app/m-p/51478#M9885 <P>well I initially included them in the app directory on the forwarded host, but I also copied them to the indexers system local directory. Rebooted, but no difference.</P> Tue, 15 May 2012 05:20:25 GMT https://community.splunk.com/t5/Getting-Data-In/CSV-field-extraction-on-a-deployed-app/m-p/51478#M9885 virtualpony 2012-05-15T05:20:25Z https://community.splunk.com/t5/Getting-Data-In/CSV-field-extraction-on-a-deployed-app/m-p/51479#M9886 <P>Issue solved. Replaced TRANSFORMS-vievents with REPORT-vievents. Reboot splunkd.</P> <P>Also needed to rename some field names as they overlap with existing splunk fields: EventType, Host</P> Tue, 15 May 2012 22:46:49 GMT https://community.splunk.com/t5/Getting-Data-In/CSV-field-extraction-on-a-deployed-app/m-p/51479#M9886 virtualpony 2012-05-15T22:46:49Z