Getting Data In
Highlighted

DELIM based fields not showing up in Web manager or search

New Member

Hi, I have the following in my environment. But fields are not visible in "Manager » Fields » Field extractions/Field transformations". Search ( StartTime="0216.15:54:*") returns 0 matched records. What I am not doing right ?

transform.conf:

[xxx_fields]
DELIMS=";, "
FIELDS = "Node", "StartTime", "EndTime"

prop.conf:

[xxx]
REPORT-xxxfields = xxxfields
KVMODE = none
NO
BINARYCHECK = false
SHOULD
LINEMERGE = false
pulldown_type = 1

My log file entries look like the following.

NODE1 0216.15:54:04.588 0216.15:54:04.588
NODE1 0216.15:54:01.634 0216.15:54:01.634

0 Karma
Highlighted

Re: DELIM based fields not showing up in Web manager or search

Ultra Champion

Have you checked that you are in the correct app/owner context in manager? (the 2 dropdown menus on the top of the page).

If you select "All" and "Any" respecively, it should be listed as;
xxx: REPORT-xxx_fields

/K

0 Karma
Highlighted

Re: DELIM based fields not showing up in Web manager or search

New Member

Yes, I have checked all those and nothing shows up even when "all" is selected. The *.conf files are in etc\system\local if that makes a difference.

0 Karma
Highlighted

Re: DELIM based fields not showing up in Web manager or search

Ultra Champion

Does your sourcetype name (xxx) or transforms stanza name (xxx_fields) contain hyphens (minus/dash/-)? That could surely prevent them from working correctly.

BTW, based on your sample events, your DELIMS could probably be just;

DELIMS = " "

/k

0 Karma
Highlighted

Re: DELIM based fields not showing up in Web manager or search

New Member

The sourcetype and transform stanza names contain only letters and underscores. That should work right ? You are right about the DELIM. Do I need to reindex , if so what is the best way ? Is there log (no pun intended) etc that I can look into to see what is happening during search.

0 Karma
Highlighted

Re: DELIM based fields not showing up in Web manager or search

Ultra Champion

No need to re-index - all of this takes place at search time.

Have you looked at the Job Inspector? Click on "Jobs" in the top right corner, find the search you ran and click "inspect".

Other than that, you could/should install Splunk on Splunk (S.o.S), which is great for finding strange errors in your installation. It also requires Sideview Utils. Both are available for free on http://splunk-base.splunk.com/apps

/k

0 Karma
Highlighted

Re: DELIM based fields not showing up in Web manager or search

New Member

Looked into jobs->inspect. I thoguht the following looks interesting. Also I do not see any of the fields I defined in transform.conf.

litsearch sourcetype=xxx StartTime="0216*" | fields keepcolorder=t "_raw" "_time" "host" "index" "linecount" "source" "sourcetype" "splunk_server"

I think a sample DELIM file with corresponding props.conf, transform.com and the index step would make life of the beginner easier.

0 Karma
Highlighted

Re: DELIM based fields not showing up in Web manager or search

Splunk Employee
Splunk Employee

Yeah, based on your data your DELIMS should be set to this:

transforms.conf

[xxx_fields]
DELIMS = " "
FIELDS = Node, StartTime, EndTime

View solution in original post

0 Karma
Highlighted

Re: DELIM based fields not showing up in Web manager or search

Communicator

I am having the same exact issue.

transforms.conf
[props1propstr]
DELIMS = ","
FIELDS = field1,field2, field3,field4

props.conf
[props1propsprops2]
REPORT-props1props = props1props_tr

both the props.conf and transforms.conf reside in apps/search/local/
I have selected "ALL" but the transforms does not show up in the "Field transformation" page on splunk web.
We have a search head cluster implementation. Could this behavior be due to cluster?
The permissions on my props --> props1propsprops2 is "Global", if that helps.
Is there a solution to this?

0 Karma