I have a csv file which I need to index and the data looks like
6-Dec-12,R18541,,APPROVED,HDG,,3953,CS,Digital Support,NO,VIRTUAL REUSE,ISCW,2,WINDOWS,4,4,,5297,,,,8,8,8192,12,2012
I did create the the props.conf in indexers as
[capacity:performance] SHOULD_LINEMERGE=false TRUNCATE=1000000 DATETIME_CONFIG = CURRENT
In webviews props.conf has been set as
[capacity:performance] REPORT-capacity_performance = capacity_performance_fields
The transforms has been set as below. In data when there is ,, even those fields headers has been mentioned. Would that create a problem?
[capacity_performance_fields] DELIMS = "," FIELDS = "date","effort","description","status","source","request","businesscase","area","Function", "planned","acquisition","location","servers","OS","processors","memory","tier","rar","col2","col22","col1","proctotal","memtota","month","year"
And local.meta has been set as
[transforms/capacity_performance_fields] access = read : [ * ] export = system owner = nobody version = 4.3.3 [props/capacityperformance/REPORT-capacity_performance] access = read : [ * ] export = system owner = nobody version = 4.3.3
It looks correct though, but the data isn't separating according to how transforms has been mentioned and separated by commas. Any idea on how to solve this?
^^ My bad. I didn't check the spelling mistake.
I was trying to separate the file using transforms and I am not seeing any fields. SOurcetype is showing the data, but the fields are not separated.
Could you elaborate on what you mea by that the data isn't "separating"? The data will look exactly like it did originally when you load it into Splunk, it will not be changed in any way. What the REPORT/DELIMS stuff is that at SEARCH TIME it extracts data in the events into fields. Is the problem that you're not seeing these fields?