Archive

Splunk field tranformation from UI does not refelect in props.conf and transforms.conf

New Member

Hi Team,

I have written a regex "^(?[^\t]+)\t(?[^\t]+)\t(?[^\t]+)\t(?\w+)[^\t\n]*\t(?[^\t]+)\t(?\w+\s+)(?[^\t]+)(?.+)" Please let me know how can I automatically create props.conf and transforms.conf.
There is no proper blog explaining the details of how to create a basic props.conf and transforms.conf to extract a custom log event .

log sample

2017-05-26 18:51:20 2017-06-19 12:19:45 \FILES.BM.QLIKVIEW.XXX.XXXXX.XXX.XU\QLIKVIEW BM SRDE\60.XXXX DOCUMENTS\googlemapexampl.qvw Bookmark XXXX\XXXX Apply Server\XXX-00 9999

Please provide props.conf and transform.conf or please let me know how can we generate them automatically.

Regards
Emu

Tags (1)
0 Karma

New Member

Please Go to fields --->Setting -->Field extractions

Select the source type which you want to analyse say qvd (Please add qvd source data before analysing in SPLUNK)

select the delimited method regex or tab delimited either of them can be used or both .

On creating the regex from spunk search UI, the config files get generated automatically and can be found below .

C:\Program Files\Splunk\etc\apps\search\local

props

[qvd]
DATETIMECONFIG =
NO
BINARYCHECK = true
category = Custom
description = QlikViewLogs
pulldown
type = true
EXTRACT-QVD = ^(?[^\t]+)\t(?[^\t]+)\t(?[^\t]+)\t(?\w+)[^\t\n]*\t(?[^\t]+)\t(?\w+\s+)(?[^\t]+)(?.+)
REPORT-QVD-Automatic = REPORT-QVD-Automatic
disabled = false

[QlikView]
DATETIMECONFIG =
NO
BINARYCHECK = true
category = Custom
description = Qlik View Logs
pulldown
type = true

transforms.conf

[REPORT-QVD-Automatic]
DELIMS = "\t"
FIELDS = "ServerStarted","Timestamp","Document","Type","User","Message","Id","Session"

Please feel free to advice in case I am missing something ,

Regards
Emu

0 Karma

Communicator

When you create field extractions from GUI, it is more dependent on the app context you are in. So if you are in search app and then started creating regex/field extractions, then yes. Props and transforms will get created in search/local otherwise whatever the app context you are in/local

OR you can create the files props.conf and transforms.conf manually in your app name/local with the above config and save it. Splunk should reload the configurations and once you run your searches you should see your new fields.

0 Karma

SplunkTrust
SplunkTrust

@smdasim, please refer to documentation to perform Interactive Field Extraction (IFX) through Splunk UI.
You can Write Regular Expression yourself of use Splunk's auto-generated Regular Expression. You can also add/remove events based on your needs to ensure Regular Expression is working as expected.

http://docs.splunk.com/Documentation/Splunk/latest/Knowledge/ExtractfieldsinteractivelywithIFX

If you plan to use your own Regular Expression, do test out the same with the sample data in IFX. Alternatively, you can test your Regular Expression directly in Splunk Search using rex command.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma