Getting Data In

CSV field extraction on a deployed app

virtualpony
Path Finder

I have a app that is deployed on a host that polls a csv file. I can get data in to the Splunk indexer, but it does not recognize the fields as described in the transforms.conf file located in the apps default directory. Here is what I have.

C:\Program
Files\SplunkUniversalForwarder\etc\apps\vievents\default

inputs.conf
[monitor://E:\Logs\vcenter\vievents.csv]
disabled = false
sourcetype = vievents_csv

props.conf
[vievents_csv]
SHOULD_LINEMERGE = false
TRANSFORMS-vievents = vievents_extractions

transforms.conf
[vievents_extractions]
DELIMS=","
FIELDS="CreatedTime","Key","ChainId","EventType","UserName","Datacenter","ComputeResource","Host","Vm","Ds","Net","Dvs","FullFormattedMessage"

How do I get splunk to recognize the fields? Thanks.

0 Karma
1 Solution

virtualpony
Path Finder

Issue solved. Replaced TRANSFORMS-vievents with REPORT-vievents. Reboot splunkd.

Also needed to rename some field names as they overlap with existing splunk fields: EventType, Host

View solution in original post

virtualpony
Path Finder

Issue solved. Replaced TRANSFORMS-vievents with REPORT-vievents. Reboot splunkd.

Also needed to rename some field names as they overlap with existing splunk fields: EventType, Host

virtualpony
Path Finder

well I initially included them in the app directory on the forwarded host, but I also copied them to the indexers system local directory. Rebooted, but no difference.

0 Karma

Ayn
Legend

So, do you have these props.conf / transforms.conf settings on the indexer? Or just the host that the data is read from?

0 Karma

virtualpony
Path Finder

Here you go. I just modified some text for privacy, but otherwise structure is the same. Some of the characters like colons and slashes get stripped.

"4/27/2012 1:37:45 PM","71642","71638","VmMacAssignedEvent","IIGCF\lus3","USLAB1","Management","uslab1esxi05.domain.com","FreeBSD",,,,"New MAC address (00:50:56:99:77:90) assigned to adapter c3 88 19 50 5c f5 fa 1a-51 58 6c b7 84 16 7a 90 for FreeBSD"

0 Karma

dbryan
Path Finder

Could you post an example row from the raw data?

0 Karma
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

WATCH NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If exploited, ...

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...