Hi guys,
I've installed the Splunk App for Unix and Linux in my Splunk server (I've only 1 splunk server and N splunk universal forwarder).
On each forwarder I've installed the Splunk Add-on for Unix and Linux.
The data are are synchronized in the "os" index without problem.
But If I take a look at the data, I noticed that Splunk cannot extract the fields:
I checked the transforms.conf of the Splunk Add-on and I can see, for example, that a transformation for the CPU has been defined
#CPU pctUser pctNice pctSystem pctIowait pctIdle
#all 1 0 1 ? 97
[fields_for_cpu_sh]
REGEX = all\s+(\d*\.*\d*)\s+(\d*\.*\d*)\s+(\d*\.*\d*)\s+(\d*\.*\d*)\s+(\d*\.*\d*)
FORMAT = pctUser::$1 pctNice::$2 pctSystem::$3 pctIowait::$4 pctIdle::$5
But it seems that it is not applied to my data.
I tried to search where the "fields_for_cpu_sh" is used in the configuration files but I couldn't find it (exception for the transforms.conf)
What am I missing?
thanks
Thank for answering,
The output seems the same:
Maybe I'm mistaking, but shouldn't I find the string "fields_for_cpu_sh" in another configuration file?
For example, in my custom application I defined a transformation (MYTRANSFORMATION) in trasformations.conf , and in the props.conf file of my app I defined also:
[my-source-type]
REPORT-fields = MYTRANSFORMATION
