The following works fine in the search bar.
index=i_a sourcetype=a_out| transaction source maxspan=1h|rex field=source "[\w\W]+/(?
Props.conf entry is as follows
[a_out]
TZ = America/New York
TIME_FORMAT = %m/%d/%Y %H:%M:%S
SHOULD_LINEMERGE = False
KV_MODE=none
EXTRACT-sourcefields =[\w\W]+/(?
EXTRACT-jobid = JobId=(?
EXTRACT-batch_type = Batch_Type=(?
file is of the format - RUN_D_INCR_ABC_INCR_9_TESTF_EXP_C.20130801023732_99999.out.
(JOBNAME.DATE_PROCESSID.OUT)
Problem - The report only displays the Time and doesn’t display jobname/PID.
“View results” from the report is
index=i_a sourcetype=a_out | transaction source maxspan=1h | eval Time=strftime(_time, "%m/%d/%Y %H:%M:%S") | table Job_Name PID Time
I have seen this before when some of the fields have no value. Try fillnull. Here is a link to fillnull:
http://docs.splunk.com/Documentation/Splunk/5.0.3/SearchReference/Fillnull
Also, you should use comma separated fields:
Job_Name,PID,Time
Could you get sample logs for us? Are the fields shown when used without transaction?