Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Not able to extract _raw data using props.conf and transforms.conf

kulsplunk
Explorer
‎08-02-2017 11:54 AM

Hello Splunk Gurus,

I'm extracting the data from database-input (using Splunk DBX 3.1.0) and sourcing that to index "my_index". When I search from Splunk I see the following output:

*Splunk Search: * index=my_index sourcetype=my_dbx_st source=test_tbl_dbx31_input | table _taw

Output:
2017-08-01 11:01:01.509, access_time="2017-03-30 6:44:16.0", process_id="PROC7678", internal_id="2436", internal_name="Test_Reports", user_id="487657"

access_time = access_time="2017-03-30 6:44:16.0"
process_id = process_id="PROC7678"
internal_id = internal_id="2436"
internal_name = internal_name="Test_Reports"
user_id = user_id="487657"

props.conf
[my_audit]
SHOULD_LINE_MERGE=false
KV_MODE=auto
REPORT-my_audit_extract=my_audit_extractions

transforms.conf
[my_audit_extractions]
DELIMS = ","
FIELDS = default_time, access_time, process_id, internal_id, internal_name, user_id

Problem
I'm not able to extract _raw data using props.conf and transforms.conf here. Also you will notice that I had to use an extra field "default_time" in FIELDS sections because that field-value gets populated automatically as a first system-field.

Am I missing any key properties in the props.conf or transforms.conf to get my field extracted properly as following?

access_time="2017-03-30 6:44:16.0"
process_id="PROC7678"
internal_id="2436"
internal_name="Test_Reports"
user_id="487657"

Thanks for your help!

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

sbbadri
Motivator
‎08-02-2017 12:07 PM

@kulsplunk
transforms.conf
[my_audit_extractions]
REGEX = \d+-\d+-\d+\s\d+:\d+:+d.\d+\saccess_time=\"(\d+-\d+-\d+\s\d+:\d+:\d+.\d+)"\,\sprocess_id=\"(\S+)\"\,\sinternal_id=\"(\d+)\"\,\sinternal_name=\"(\S+)\"\,\suser_id="(\d+)\"
FORMAT= access_time::$1 process_id::$2 internal_id::$3 internal_name::$4 user_id::$5

or

index=my_index sourcetype=my_dbx_st source=test_tbl_dbx31_input | table access_time process_id internal_id internal_name user_id

because you are using KV_MODE=auto so that all the fields will be extracted already. so you don't want to use transforms at all

View solution in original post

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎08-02-2017 12:13 PM

You raw data has classic key-value pair format and field should already be extracted. Are you setting up just to get the default_time field? Also, your current transform.conf entry is treating raw data as CSV, so even the field header will appear as value. My suggestion would to just setup a props.conf EXTRACT-defaulttime = ^(<default_time>[^,]+) for default_time and get rid of the transforms.conf.

0 Karma
Reply
Solved! Jump to solution

kulsplunk
Explorer
‎08-02-2017 12:54 PM

Thanks a lot for your answer! I got rid of transforms.conf and added the EXTRACT-defaulttime to extract the default time.

0 Karma
Reply
Solved! Jump to solution
Solution

sbbadri
Motivator
‎08-02-2017 12:07 PM

@kulsplunk
transforms.conf
[my_audit_extractions]
REGEX = \d+-\d+-\d+\s\d+:\d+:+d.\d+\saccess_time=\"(\d+-\d+-\d+\s\d+:\d+:\d+.\d+)"\,\sprocess_id=\"(\S+)\"\,\sinternal_id=\"(\d+)\"\,\sinternal_name=\"(\S+)\"\,\suser_id="(\d+)\"
FORMAT= access_time::$1 process_id::$2 internal_id::$3 internal_name::$4 user_id::$5

or

index=my_index sourcetype=my_dbx_st source=test_tbl_dbx31_input | table access_time process_id internal_id internal_name user_id

because you are using KV_MODE=auto so that all the fields will be extracted already. so you don't want to use transforms at all

0 Karma
Reply
Solved! Jump to solution

kulsplunk
Explorer
‎08-02-2017 12:50 PM

Thanks much! I just got rid of transforms.conf and it worked fine.

0 Karma
Reply
Get Updates on the Splunk Community!

Strengthen Your Future: A Look Back at Splunk 10 Innovations and .conf25 Highlights!

The Big One: Splunk 10 is Here!  The moment many of you have been waiting for has arrived! We are thrilled to ...

Now Offering the AI Assistant Usage Dashboard in Cloud Monitoring Console

Today, we’re excited to announce the release of a brand new AI assistant usage dashboard in Cloud Monitoring ...

Stay Connected: Your Guide to October Tech Talks, Office Hours, and Webinars!

What are Community Office Hours? Community Office Hours is an interactive 60-minute Zoom series where ...