- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Re: CSV field extraction on a deployed app
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have a app that is deployed on a host that polls a csv file. I can get data in to the Splunk indexer, but it does not recognize the fields as described in the transforms.conf file located in the apps default directory. Here is what I have.
C:\Program
Files\SplunkUniversalForwarder\etc\apps\vievents\default
inputs.conf
[monitor://E:\Logs\vcenter\vievents.csv]
disabled = false
sourcetype = vievents_csv
props.conf
[vievents_csv]
SHOULD_LINEMERGE = false
TRANSFORMS-vievents = vievents_extractions
transforms.conf
[vievents_extractions]
DELIMS=","
FIELDS="CreatedTime","Key","ChainId","EventType","UserName","Datacenter","ComputeResource","Host","Vm","Ds","Net","Dvs","FullFormattedMessage"
How do I get splunk to recognize the fields? Thanks.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Issue solved. Replaced TRANSFORMS-vievents with REPORT-vievents. Reboot splunkd.
Also needed to rename some field names as they overlap with existing splunk fields: EventType, Host
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Issue solved. Replaced TRANSFORMS-vievents with REPORT-vievents. Reboot splunkd.
Also needed to rename some field names as they overlap with existing splunk fields: EventType, Host
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
well I initially included them in the app directory on the forwarded host, but I also copied them to the indexers system local directory. Rebooted, but no difference.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So, do you have these props.conf / transforms.conf settings on the indexer? Or just the host that the data is read from?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Here you go. I just modified some text for privacy, but otherwise structure is the same. Some of the characters like colons and slashes get stripped.
"4/27/2012 1:37:45 PM","71642","71638","VmMacAssignedEvent","IIGCF\lus3","USLAB1","Management","uslab1esxi05.domain.com","FreeBSD",,,,"New MAC address (00:50:56:99:77:90) assigned to adapter c3 88 19 50 5c f5 fa 1a-51 58 6c b7 84 16 7a 90 for FreeBSD"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Could you post an example row from the raw data?
Introducing the 2024 SplunkTrust!
Introducing the 2024 Splunk MVPs!
Splunk Custom Visualizations App End of Life
