I want to parse the below structured data. I want ...

umeshagarwal · ‎01-17-2017

Output should have only have only field FIELD2 & FIELD3 data.

Inputs.conf
[monitor://C:\testauths*.txt]
index=main
sourcetype=mytestdata

props.conf
[mytestdata]
CHARSET=AUTO
DATETIME_CONFIG=CURRENT
INDEXED_EXTRACTIONS=csv
SHOULD_LINEMERGE=false
disabled=false
pulldown_type=true
FIELD_DELIMITER=|
HEADER_FIELD_LINE_NUMBER=0
REPORT-fields = getLogData

transforms.conf
[getLogData]
DELIMS = "|"
FIELDS= "",FIELD2,FIELD3,""

I am sure somewhere i am making mistake.

PramodhKumar · ‎03-08-2020

Hi @umeshagarwal008

You can use field transformations in props, TRANSFORMS-q=nq
then in transforms.conf
[nq]
REGEX=CHINA.* | NEPAL.*
FORMAT=queue
DEST_KEY=nullQueue

hope this helps..

Regards,
Pramodh

DalJeanis · ‎01-17-2017

Here's some things that I'd try, one at a time -

A) change to INDEXED_EXTRACTIONS=psv.
(This may not help but should not hurt.)

B) change namespace from REPORT-fields to REPORT-search or REPORT-yourappname.
(This is my best guess of the real issue.)

C) remove pulldown_type clause
(In the admin manual, it says # NOT YOURS. DO NOT SET.)

D) remove disabled clause
(I don't find it in the admin manual for that stanza.)

umeshagarwal · ‎01-18-2017

Tried with the above changes but now I am not getting any data indexed.

DalJeanis · ‎01-21-2017

which change caused the data to stop indexing?

umeshagarwal · ‎02-02-2017

After restarting splunk all data are getting indexed rather than the two fields.

DalJeanis · ‎01-17-2017

Do you want them indexed, or extracted at search time?

umeshagarwal · ‎01-18-2017

I want to them to be indexed.

I want to parse the below structured data. I want only second and third field to get indexed and rest to be discarded. I am using the below configuration:

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor