Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- I want to parse the below structured data. I want ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I want to parse the below structured data. I want only second and third field to get indexed and rest to be discarded. I am using the below configuration:
Sample Data:
FILED1|FIELD2|FIELD3|FIELD4
INDIA|AGRICULTURE|HELLO|200
AMERICA|FOOD|HELLO |404
CHINA|PEOPLE|HI|402
NEPAL|COLTHS|HI|411
Output should have only have only field FIELD2 & FIELD3 data.
Inputs.conf
[monitor://C:\testauths*.txt]
index=main
sourcetype=mytestdata
props.conf
[mytestdata]
CHARSET=AUTO
DATETIME_CONFIG=CURRENT
INDEXED_EXTRACTIONS=csv
SHOULD_LINEMERGE=false
disabled=false
pulldown_type=true
FIELD_DELIMITER=|
HEADER_FIELD_LINE_NUMBER=0
REPORT-fields = getLogData
transforms.conf
[getLogData]
DELIMS = "|"
FIELDS= "",FIELD2,FIELD3,""
I am sure somewhere i am making mistake.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @umeshagarwal008
You can use field transformations in props, TRANSFORMS-q=nq
then in transforms.conf
[nq]
REGEX=CHINA.* | NEPAL.*
FORMAT=queue
DEST_KEY=nullQueue
hope this helps..
Regards,
Pramodh
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Here's some things that I'd try, one at a time -
A) change to INDEXED_EXTRACTIONS=psv.
(This may not help but should not hurt.)
B) change namespace from REPORT-fields to REPORT-search or REPORT-yourappname.
(This is my best guess of the real issue.)
C) remove pulldown_type clause
(In the admin manual, it says # NOT YOURS. DO NOT SET.)
D) remove disabled clause
(I don't find it in the admin manual for that stanza.)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Tried with the above changes but now I am not getting any data indexed.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
which change caused the data to stop indexing?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
After restarting splunk all data are getting indexed rather than the two fields.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Do you want them indexed, or extracted at search time?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I want to them to be indexed.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Announcing Modern Navigation: A New Era of Splunk User Experience
Modernize your Splunk Apps – Introducing Python 3.13 in Splunk
Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...
