Hello
I have a csv file which I need to index and the data looks like
6-Dec-12,R18541,,APPROVED,HDG,,3953,CS,Digital Support,NO,VIRTUAL REUSE,ISCW,2,WINDOWS,4,4,,5297,,,,8,8,8192,12,2012
I did create the the props.conf in indexers as
[capacity:performance]
SHOULD_LINEMERGE=false
TRUNCATE=1000000
DATETIME_CONFIG = CURRENT
In webviews props.conf has been set as
[capacity:performance]
REPORT-capacity_performance = capacity_performance_fields
The transforms has been set as below. In data when there is ,, even those fields headers has been mentioned. Would that create a problem?
[capacity_performance_fields]
DELIMS = ","
FIELDS = "date","effort","description","status","source","request","businesscase","area","Function", "planned","acquisition","location","servers","OS","processors","memory","tier","rar","col2","col22","col1","proctotal","memtota","month","year"
And local.meta has been set as
[transforms/capacity_performance_fields]
access = read : [ * ]
export = system
owner = nobody
version = 4.3.3
[props/capacityperformance/REPORT-capacity_performance]
access = read : [ * ]
export = system
owner = nobody
version = 4.3.3
It looks correct though, but the data isn't separating according to how transforms has been mentioned and separated by commas. Any idea on how to solve this?
it's working now. Did a blunder mistake of not placing : in the props config in local.meta.
It should be capacity:performance. Thanks.
Any help??
^^ My bad. I didn't check the spelling mistake.
I was trying to separate the file using transforms and I am not seeing any fields. SOurcetype is showing the data, but the fields are not separated.
In addition - are you aware / happy with the various versions of 'performace' vs performance?
Also, what do you think you are referencing with capacity:performance. I don't believe they will be actually pointing at any data in that form.
Could you elaborate on what you mea by that the data isn't "separating"? The data will look exactly like it did originally when you load it into Splunk, it will not be changed in any way. What the REPORT/DELIMS stuff is that at SEARCH TIME it extracts data in the events into fields. Is the problem that you're not seeing these fields?