topic Re: Why can't I get the right field extractions from a PSV file using auto header in transforms.conf? in Splunk Search https://community.splunk.com/t5/Splunk-Search/Why-can-t-I-get-the-right-field-extractions-from-a-PSV-file/m-p/194179#M55948 <P>ok i will take a look.</P> Wed, 25 Mar 2015 10:18:58 GMT stephane_cyrill 2015-03-25T10:18:58Z Why can't I get the right field extractions from a PSV file using auto header in transforms.conf? https://community.splunk.com/t5/Splunk-Search/Why-can-t-I-get-the-right-field-extractions-from-a-PSV-file/m-p/194175#M55944 <P>Hi all,</P> <P>I have here a log file with a header and I'm using transforms.conf to extract the fields, but I'm not getting the right results.</P> <P>for reference:</P> <P>my log file consist of:</P> <PRE><CODE>ARU|Portion|AR Text Sched|From Date|To Date| 02000000|02_AG0|SCAL MRU 02_AG0|02/01/20|12/31/20| 02001000|02_AG1|SCAL MRU 02_AG1|02/01/20|12/31/20| 02002000|02_AG2|SCAL MRU 02_AG2|02/01/20|12/31/20| 02003000|02_AG3|SCAL MRU 02_AG3|02/01/20|12/31/20| </CODE></PRE> <P>I put props.conf both on:<BR /> C:\Program Files\Splunk\etc\system\local\props.conf<BR /> C:\Program Files\Splunk\etc\app\Maynilad\local\props.conf</P> <PRE><CODE>[rbil_mrsched] NO_BINARY_CHECK = true SHOULD_LINEMERGE = false category = Custom disabled = false pulldown_type = true INDEXED_EXTRACTIONS = PSV REPORT-AutoHeader = rbil_mrsched_trans </CODE></PRE> <P>and in my transforms.conf<BR /> C:\Program Files\Splunk\etc\system\local\transfoms.conf</P> <PRE><CODE>[rbil_mrsched_trans] DELIMS= "|" FIELDS="RbillARU","|","RbillPortion","|","RbillARTextSched","|","RbillFromDate","|","RbillToDate","|" </CODE></PRE> <P>Values should be<BR /> RbillARU:</P> <PRE><CODE>02000000 02001000 02002000 02003000 </CODE></PRE> <P>RbillPortion:</P> <PRE><CODE>02_AG0 02_AG1 02_AG2 02_AG3 </CODE></PRE> <P>RbillARTextSched:</P> <PRE><CODE>SCAL MRU 02_AG0 SCAL MRU 02_AG1 SCAL MRU 02_AG2 SCAL MRU 02_AG3 </CODE></PRE> <P>RbillFromDate:</P> <PRE><CODE>02/01/20 </CODE></PRE> <P>RbillToDate:</P> <PRE><CODE>12/31/20 </CODE></PRE> <P>but the results are: <BR /> 02000000 for RbillARU (correct)<BR /> no values for RbillPortion<BR /> SCAL MRU 02_AG0 for RbillPortion (wrong this should be the result for RbillARTextSched)<BR /> 12/31/20 for RbillARTextSched (wrong this should be the result for RbillToDate)<BR /> no values/result for RbillFromDate<BR /> no values/result for RbillToDate</P> <P>Please help me with this. thanks</P> Wed, 25 Mar 2015 05:13:07 GMT https://community.splunk.com/t5/Splunk-Search/Why-can-t-I-get-the-right-field-extractions-from-a-PSV-file/m-p/194175#M55944 shariinPH 2015-03-25T05:13:07Z Re: Why can't I get the right field extractions from a PSV file using auto header in transforms.conf? https://community.splunk.com/t5/Splunk-Search/Why-can-t-I-get-the-right-field-extractions-from-a-PSV-file/m-p/194176#M55945 <P>Hi, I want to try But i need your file.<BR /> is it a csv?<BR /> can you send it to<BR /> <A href="mailto:cyrilleko@gmail.com">cyrilleko@gmail.com</A> </P> Wed, 25 Mar 2015 09:03:58 GMT https://community.splunk.com/t5/Splunk-Search/Why-can-t-I-get-the-right-field-extractions-from-a-PSV-file/m-p/194176#M55945 stephane_cyrill 2015-03-25T09:03:58Z Re: Why can't I get the right field extractions from a PSV file using auto header in transforms.conf? https://community.splunk.com/t5/Splunk-Search/Why-can-t-I-get-the-right-field-extractions-from-a-PSV-file/m-p/194177#M55946 <P>Its a txtfile .. i'll send you</P> Wed, 25 Mar 2015 09:45:58 GMT https://community.splunk.com/t5/Splunk-Search/Why-can-t-I-get-the-right-field-extractions-from-a-PSV-file/m-p/194177#M55946 shariinPH 2015-03-25T09:45:58Z Re: Why can't I get the right field extractions from a PSV file using auto header in transforms.conf? https://community.splunk.com/t5/Splunk-Search/Why-can-t-I-get-the-right-field-extractions-from-a-PSV-file/m-p/194178#M55947 <P>Hi , I have put your sample data in a text file that i indexed. you can use this regex to have your fields extracted as you like.</P> <PRE><CODE>index=* sourcetype=txt | rex field=_raw "^(?P\\s+\\d+)\\|(?P[^\\|]+)\\|(?P[^\\|]+)\\|(?P[^\\|]+)\\|(?P[^\\|]+)"|table RbillARU RbillPortion RbillARTextSched RbillFromDate </CODE></PRE> Wed, 25 Mar 2015 09:55:01 GMT https://community.splunk.com/t5/Splunk-Search/Why-can-t-I-get-the-right-field-extractions-from-a-PSV-file/m-p/194178#M55947 stephane_cyrill 2015-03-25T09:55:01Z Re: Why can't I get the right field extractions from a PSV file using auto header in transforms.conf? https://community.splunk.com/t5/Splunk-Search/Why-can-t-I-get-the-right-field-extractions-from-a-PSV-file/m-p/194179#M55948 <P>ok i will take a look.</P> Wed, 25 Mar 2015 10:18:58 GMT https://community.splunk.com/t5/Splunk-Search/Why-can-t-I-get-the-right-field-extractions-from-a-PSV-file/m-p/194179#M55948 stephane_cyrill 2015-03-25T10:18:58Z Re: Why can't I get the right field extractions from a PSV file using auto header in transforms.conf? https://community.splunk.com/t5/Splunk-Search/Why-can-t-I-get-the-right-field-extractions-from-a-PSV-file/m-p/194180#M55949 <P>hello, does it work on your machine?</P> Thu, 26 Mar 2015 02:33:46 GMT https://community.splunk.com/t5/Splunk-Search/Why-can-t-I-get-the-right-field-extractions-from-a-PSV-file/m-p/194180#M55949 shariinPH 2015-03-26T02:33:46Z Re: Why can't I get the right field extractions from a PSV file using auto header in transforms.conf? https://community.splunk.com/t5/Splunk-Search/Why-can-t-I-get-the-right-field-extractions-from-a-PSV-file/m-p/194181#M55950 <P>You have specified INDEXED_EXTRACTIONS = PSV, Splunk should do the right thing automatically.</P> <P>You definitely don't need a transforms.conf (aside from it being incorrect), please review this <A href="http://docs.splunk.com/Documentation/Splunk/latest/Data/Extractfieldsfromfileheadersatindextime#Props.conf_attributes_for_structured_data">documentation</A></P> Thu, 26 Mar 2015 05:36:15 GMT https://community.splunk.com/t5/Splunk-Search/Why-can-t-I-get-the-right-field-extractions-from-a-PSV-file/m-p/194181#M55950 s2_splunk 2015-03-26T05:36:15Z Re: Why can't I get the right field extractions from a PSV file using auto header in transforms.conf? https://community.splunk.com/t5/Splunk-Search/Why-can-t-I-get-the-right-field-extractions-from-a-PSV-file/m-p/194182#M55951 <P>with this i have to remove the configs on my transforms.conf?</P> Thu, 26 Mar 2015 06:44:03 GMT https://community.splunk.com/t5/Splunk-Search/Why-can-t-I-get-the-right-field-extractions-from-a-PSV-file/m-p/194182#M55951 shariinPH 2015-03-26T06:44:03Z Re: Why can't I get the right field extractions from a PSV file using auto header in transforms.conf? https://community.splunk.com/t5/Splunk-Search/Why-can-t-I-get-the-right-field-extractions-from-a-PSV-file/m-p/194183#M55952 <P>Yes, although it doesn't matter if it doesn't get referenced. <BR /> I also wouldn't specify anything in <CODE>../etc/system/local</CODE> but instead put all your configurations for this in a separate app context. Whatever you decide, definitely only have it ONE place.</P> <P>I would just try: </P> <PRE><CODE>[rbil_mrsched] NO_BINARY_CHECK = true SHOULD_LINEMERGE = false INDEXED_EXTRACTIONS = PSV </CODE></PRE> <P>You should see that your events show up with the field names as defined in the header row of the PSV input file, assuming you specified <STRONG>sourcetype=rbil_mrsched</STRONG> in your inputs.conf.</P> <P>If you don't like those field names, you can create field aliases on your search head, or use the rename command in your searches.</P> Thu, 26 Mar 2015 06:52:12 GMT https://community.splunk.com/t5/Splunk-Search/Why-can-t-I-get-the-right-field-extractions-from-a-PSV-file/m-p/194183#M55952 s2_splunk 2015-03-26T06:52:12Z