https://community.splunk.com/t5/Splunk-Search/Splunk-dont-show-fields-after-parsed-why/m-p/156640#M44063 <P>Yes, as long as the REPORT-xxx in props.conf references the stanza name in transforms.conf.</P> Tue, 26 Nov 2013 15:17:42 GMT _d_ 2013-11-26T15:17:42Z https://community.splunk.com/t5/Splunk-Search/Splunk-dont-show-fields-after-parsed-why/m-p/156634#M44057 <H2>Sample Log File</H2> <P>2013-10-31|2013-10-31 00:00:00|serv1|ws1|Mozilla|p1=1,p2=2,p3=3|hash1||method1|id||2.01</P> <P>2013-11-01|2013-10-31 00:00:00|serv1|ws2|Chrome|p1=55,p2=432,p3=3|hash2||method2|id||3.31</P> <P>2013-10-03|2013-10-31 00:00:00|serv1|ws3|Explorer|p1=34,p2=434434,p3=555555|hash3||method3|id||4.41</P> <H2>Question</H2> <P>The log fields are fixed and there is adlimiter '|' between them</P> <P>I want that the splunk automaticlly parse data rows into fileds<BR /> I add the prop.conf these attributes</P> <P>DELIMS = "|"</P> <P>FIELDS = "date"|"datetime"|"service"|"ws"|"browser"|"params"|"gui"|"empty"|"method"|"id"|"status"|"ver"</P> <P>Why dont I see those fields on the Selected/Interesting Fields list?<BR /> what am i missing?</P> Tue, 26 Nov 2013 13:21:13 GMT https://community.splunk.com/t5/Splunk-Search/Splunk-dont-show-fields-after-parsed-why/m-p/156634#M44057 shayhk 2013-11-26T13:21:13Z https://community.splunk.com/t5/Splunk-Search/Splunk-dont-show-fields-after-parsed-why/m-p/156635#M44058 <P>Those attributes belong in a transforms.conf instead. </P> <P><CODE>props.conf<BR /> [my_sourcetype]<BR /> REPORT-my_fields = my_fields</CODE></P> <P><CODE>transforms.conf<BR /> [my_fields]<BR /> DELIMS = "|"<BR /> FIELDS = "date","datetime","service","ws","browser","params","gui","empty","method","id","status","ver"</CODE></P> <P>EDIT: You need commas between field names.</P> Tue, 26 Nov 2013 13:37:22 GMT https://community.splunk.com/t5/Splunk-Search/Splunk-dont-show-fields-after-parsed-why/m-p/156635#M44058 _d_ 2013-11-26T13:37:22Z https://community.splunk.com/t5/Splunk-Search/Splunk-dont-show-fields-after-parsed-why/m-p/156636#M44059 <P>The DELIMS and FIELDS belong in transforms.conf not props.conf. Also, in FIELDS remove the quotes and delimiters - use a space separated list of fields.</P> <P>FIELDS = date datetime service ws browser params gui empty method id status ver</P> <P>You will need an entry in props.conf to point the source or sourcetype to the transform stanza like this:</P> <P>props.conf</P> <P>[yoursourcetype]<BR /> REPORT-yourfieldlist = fieldlist</P> <P>transforms.conf</P> <P>[fieldlist]<BR /> DELIMS = "|"<BR /><BR /> FIELDS = date datetime service ws browser params gui empty method id status ver</P> Tue, 26 Nov 2013 13:42:21 GMT https://community.splunk.com/t5/Splunk-Search/Splunk-dont-show-fields-after-parsed-why/m-p/156636#M44059 lukejadamec 2013-11-26T13:42:21Z https://community.splunk.com/t5/Splunk-Search/Splunk-dont-show-fields-after-parsed-why/m-p/156637#M44060 <P>i dont have a transforms.conf file.<BR /> only props.conf.<BR /> how can i do it from the SplunkWeb Gui?<BR /> thanks</P> Tue, 26 Nov 2013 14:15:36 GMT https://community.splunk.com/t5/Splunk-Search/Splunk-dont-show-fields-after-parsed-why/m-p/156637#M44060 shayhk 2013-11-26T14:15:36Z https://community.splunk.com/t5/Splunk-Search/Splunk-dont-show-fields-after-parsed-why/m-p/156638#M44061 <P>You can't.<BR /> You need to create the file on the indexer at:<BR /> <CODE>splunk\etc\system\local\transforms.conf</CODE></P> Tue, 26 Nov 2013 14:26:28 GMT https://community.splunk.com/t5/Splunk-Search/Splunk-dont-show-fields-after-parsed-why/m-p/156638#M44061 lukejadamec 2013-11-26T14:26:28Z https://community.splunk.com/t5/Splunk-Search/Splunk-dont-show-fields-after-parsed-why/m-p/156639#M44062 <P>all i need to do is to create the file and define it like you did?</P> Tue, 26 Nov 2013 15:15:18 GMT https://community.splunk.com/t5/Splunk-Search/Splunk-dont-show-fields-after-parsed-why/m-p/156639#M44062 shayhk 2013-11-26T15:15:18Z https://community.splunk.com/t5/Splunk-Search/Splunk-dont-show-fields-after-parsed-why/m-p/156640#M44063 <P>Yes, as long as the REPORT-xxx in props.conf references the stanza name in transforms.conf.</P> Tue, 26 Nov 2013 15:17:42 GMT https://community.splunk.com/t5/Splunk-Search/Splunk-dont-show-fields-after-parsed-why/m-p/156640#M44063 _d_ 2013-11-26T15:17:42Z https://community.splunk.com/t5/Splunk-Search/Splunk-dont-show-fields-after-parsed-why/m-p/156641#M44064 <P>Don't forget to restart splunkd when you're done with the file.</P> Tue, 26 Nov 2013 16:33:56 GMT https://community.splunk.com/t5/Splunk-Search/Splunk-dont-show-fields-after-parsed-why/m-p/156641#M44064 lukejadamec 2013-11-26T16:33:56Z https://community.splunk.com/t5/Splunk-Search/Splunk-dont-show-fields-after-parsed-why/m-p/156642#M44065 <P>I did all these thing and still, the fileds i asked for are are not showen in the selected\Interesting fields bar.</P> Wed, 27 Nov 2013 11:32:19 GMT https://community.splunk.com/t5/Splunk-Search/Splunk-dont-show-fields-after-parsed-why/m-p/156642#M44065 shayhk 2013-11-27T11:32:19Z https://community.splunk.com/t5/Splunk-Search/Splunk-dont-show-fields-after-parsed-why/m-p/156643#M44066 <P>it's not working.<BR /> i changed the props.conf + transforms.conf<BR /> and restarted the splunk service.</P> Wed, 27 Nov 2013 11:34:51 GMT https://community.splunk.com/t5/Splunk-Search/Splunk-dont-show-fields-after-parsed-why/m-p/156643#M44066 shayhk 2013-11-27T11:34:51Z https://community.splunk.com/t5/Splunk-Search/Splunk-dont-show-fields-after-parsed-why/m-p/156644#M44067 <P>FIELDS = date datetime service ws browser params gui empty method id status ver<BR /> or</P> <P>FIELDS = "date"|"datetime"|"service"|"ws"|"browser"|"params"|"gui"|"empty"|"method"|"id"|"status"|"ver"</P> <P>????</P> Wed, 27 Nov 2013 11:37:18 GMT https://community.splunk.com/t5/Splunk-Search/Splunk-dont-show-fields-after-parsed-why/m-p/156644#M44067 shayhk 2013-11-27T11:37:18Z