Getting Data In
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Parsing pipe delimiter with props.conf and transforms.conf not working

mlovasco
Explorer
‎11-19-2021 06:53 AM

Hi - trying to parse 2 similar sourcetypes with props.conf and transforms.conf but they are not working.  Help would be appreciated! Thanks!

Example events:

sourcetype=avaya:epm:mpplogs

@2021-11-19 09:41:54,070|PAVB_03335|INFO|VB|650636|Session=aipor-mpp001lv-2021323144040-7|Got VoiceXML exception: noinput in 9b99c62c5d35f81d18e547137018bef9663c3bc7a33f60a3f25aa4d55d36e14f|aipor-mpp001lv####

sourcetype=avaya:epm:vpmslogs

@2021-11-19 09:51:10,411 EST||FINE|AppIntfService|VoicePortal|ajp-nio-127.0.0.1-3009-exec-41|Method=PackageInfo::GetBuildVersion()| attempt to locate file on classpath. File = VPAppIntfService.aar|||||||aipva-epm001lv|4000064385####

 

props.conf

[avaya:epm:mpplogs]
REPORT-pipe-separated-fields-mpp = pipe-separated-fields-mpp

[avaya:epm:vpmslogs]
REPORT-pipe-separated-fields-vpms = pipe-separated-fields-vpms

 

transforms.conf

[pipe-separated-fields-mpp]
DELIMS = "|"
FIELDS = "eventTimestamp","eventName","eventLevel","triggerComponent","eventId","eventText","eventDescription","serverName"

[pipe-separated-fields-vpms]
DELIMS = "|"
FIELDS = "eventTimestamp","eventName","eventLevel","triggerComponent","eventMonitor","eventDescription"

(I've tried with and without quotes)

Labels (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎11-19-2021 08:38 AM

There's the problem.  Parsing with these settings happens at search time so the settings need to be on the search heads.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution

mlovasco
Explorer
‎11-19-2021 07:32 AM

Yes, testing with verbose mode... none of my fields are appearing.

Should also mention that I'm Cloud, but my app is on a deployment server and being successfully deployed to appropriate clients.

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎11-19-2021 07:19 AM

How are you testing this?  Are you using Verbose mode?

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

mlovasco
Explorer
‎11-19-2021 07:32 AM

Yes, testing with verbose mode... none of my fields are appearing.

Should also mention that I'm Cloud, but my app is on a deployment server and being successfully deployed to appropriate clients.

Tags (1)
0 Karma
Reply
Solved! Jump to solution

PickleRick
SplunkTrust
SplunkTrust
‎11-19-2021 07:35 AM

Wait a second. To which clients are you deploying this app?

0 Karma
Reply
Solved! Jump to solution

mlovasco
Explorer
‎11-19-2021 07:57 AM

Hosts where these logs are located... 

0 Karma
Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎11-19-2021 08:38 AM

There's the problem.  Parsing with these settings happens at search time so the settings need to be on the search heads.

---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

mlovasco
Explorer
‎11-19-2021 08:39 AM

Got it... will reroute my thinking.. thanks!

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎11-19-2021 10:20 AM

Check out https://wiki.splunk.com/Where_do_I_configure_my_Splunk_settings%3F and https://www.aplura.com/assets/pdf/where_to_put_props.pdf

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Developer Spotlight with Brett Adams

In our third Spotlight feature, we're excited to shine a light on Brett—a Splunk consultant, innovative ...

Index This | What can you do to make 55,555 equal 500?

April 2025 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...

In today’s evolving threat landscape, we understand you’re constantly bombarded with phishing and malware ...
Top