Hi, I have the following in my environment. But fields are not visible in "Manager » Fields » Field extractions/Field transformations". Search ( StartTime="0216.15:54:*") returns 0 matched records. What I am not doing right ?
FIELDS = "Node", "StartTime", "EndTime"
REPORT-xxxfields = xxxfields
KVMODE = none
NOBINARYCHECK = false
SHOULDLINEMERGE = false
pulldown_type = 1
My log file entries look like the following.
NODE1 0216.15:54:04.588 0216.15:54:04.588
NODE1 0216.15:54:01.634 0216.15:54:01.634
Have you checked that you are in the correct app/owner context in manager? (the 2 dropdown menus on the top of the page).
If you select "All" and "Any" respecively, it should be listed as;
Yes, I have checked all those and nothing shows up even when "all" is selected. The *.conf files are in etc\system\local if that makes a difference.
Does your sourcetype name (xxx) or transforms stanza name (xxx_fields) contain hyphens (minus/dash/-)? That could surely prevent them from working correctly.
BTW, based on your sample events, your DELIMS could probably be just;
DELIMS = " "
The sourcetype and transform stanza names contain only letters and underscores. That should work right ? You are right about the DELIM. Do I need to reindex , if so what is the best way ? Is there log (no pun intended) etc that I can look into to see what is happening during search.
No need to re-index - all of this takes place at search time.
Have you looked at the Job Inspector? Click on "Jobs" in the top right corner, find the search you ran and click "inspect".
Other than that, you could/should install Splunk on Splunk (S.o.S), which is great for finding strange errors in your installation. It also requires Sideview Utils. Both are available for free on http://splunk-base.splunk.com/apps
Looked into jobs->inspect. I thoguht the following looks interesting. Also I do not see any of the fields I defined in transform.conf.
litsearch sourcetype=xxx StartTime="0216*" | fields keepcolorder=t "_raw" "_time" "host" "index" "linecount" "source" "sourcetype" "splunk_server"
I think a sample DELIM file with corresponding props.conf, transform.com and the index step would make life of the beginner easier.
Yeah, based on your data your DELIMS should be set to this:
DELIMS = " "
FIELDS = Node, StartTime, EndTime
I am having the same exact issue.
DELIMS = ","
FIELDS = field1,field2, field3,field4
REPORT-props1props = props1props_tr
both the props.conf and transforms.conf reside in apps/search/local/
I have selected "ALL" but the transforms does not show up in the "Field transformation" page on splunk web.
We have a search head cluster implementation. Could this behavior be due to cluster?
The permissions on my props --> props1propsprops2 is "Global", if that helps.
Is there a solution to this?