concatenating fields at index time doesn't seem to work. I have the following transform:
[gztdnv]
REGEX = <td>\s+(\S+)\s+(\S+)
FORMAT = td_nv::$1.$2
MV_ADD = true
the data looks like:
"<td> BW 400"
I would expect to see a value for td_nv of BW400 after the search. However, the transform remains in its unprocessed state indicating that td_nv is simply "$1.$2". If I just use $1 or $2 it is evaluated correctly with that piece.
This is described in the splunk docs section under "create custom fields at index time". Any ideas?
no luck so far... here are the three key files. Restarted splunk and no td_nv field even appears....
transforms.conf :
[gztdnv]
REGEX = \s+(\S+)\s+(\S+)\s+(\S+)
FORMAT = td_nv::"$1.$2"
WRITE_META = true
props.conf :
[mylogs]
TRANSFORMS-gztdnv = gztdnv
fields.conf:
[td_nv]
INDEXED=true
You're using REPORT instead of TRANSFORMS for the fields you are trying to concatenate. REPORT is a definition for a search-time extraction, not an index-time extraction. You need to use TRANSFORMS if you want to concatenate values, as this is not supported for search-time extractions.
Tried it with both FORMAT suggestions with no change so far. The props.conf entry is below. FYI, all the other extracts and reports pieces work.
Thx.
[MyLogs]
TRUNCATE = 0
LINE_BREAKER = (?!)
BREAK_ONLY_BEFORE = ^
TIME_PREFIX = ^
EXTRACT-segName = ^
EXTRACT-testName = ^
EXTRACT-testExec = ^
EXTRACT-npes = ^
EXTRACT-JobID = ^
EXTRACT-compiler = ^
EXTRACT-params = ^
EXTRACT-rmgr = ^
EXTRACT-user = ^
EXTRACT-vers = ^
EXTRACT-start = ^
EXTRACT-end = ^
EXTRACT-results = ^\s*
EXTRACT-nodes = ^
EXTRACT-real = ^real\s+(?
REPORT-gztd = gztd
REPORT-gztdnv = gztdnv
REPORT-gzresults = gzresults
There might be a couple of issues here but try this and let me know if it works:
[gztdnv]
REGEX = \<td\>\s+(\S+)\s+(\S+)
FORMAT = $1::$2
MV_ADD = true
The "<" and ">" have to be escaped with a backslash "\". Also if you are creating a grouping in the REGEX then the FORMAT has to be "$1::$2".
Here is a link to more information:
http://docs.splunk.com/Documentation/Splunk/4.2.4/Data/Configureindex-timefieldextraction
< and > do not need to be escaped.
Is this transform referred to in props.conf using the EXTRACT directive or TRANSFORMS directive? Could you paste the props.conf section?