Getting Data In

Parsing pipe delimiter with props.conf and transforms.conf not working

mlovasco
Explorer

Hi - trying to parse 2 similar sourcetypes with props.conf and transforms.conf but they are not working.  Help would be appreciated! Thanks!

Example events:

sourcetype=avaya:epm:mpplogs

@2021-11-19 09:41:54,070|PAVB_03335|INFO|VB|650636|Session=aipor-mpp001lv-2021323144040-7|Got VoiceXML exception: noinput in 9b99c62c5d35f81d18e547137018bef9663c3bc7a33f60a3f25aa4d55d36e14f|aipor-mpp001lv####

sourcetype=avaya:epm:vpmslogs

@2021-11-19 09:51:10,411 EST||FINE|AppIntfService|VoicePortal|ajp-nio-127.0.0.1-3009-exec-41|Method=PackageInfo::GetBuildVersion()| attempt to locate file on classpath. File = VPAppIntfService.aar|||||||aipva-epm001lv|4000064385####

 

props.conf

[avaya:epm:mpplogs]
REPORT-pipe-separated-fields-mpp = pipe-separated-fields-mpp

[avaya:epm:vpmslogs]
REPORT-pipe-separated-fields-vpms = pipe-separated-fields-vpms

 

transforms.conf

[pipe-separated-fields-mpp]
DELIMS = "|"
FIELDS = "eventTimestamp","eventName","eventLevel","triggerComponent","eventId","eventText","eventDescription","serverName"

[pipe-separated-fields-vpms]
DELIMS = "|"
FIELDS = "eventTimestamp","eventName","eventLevel","triggerComponent","eventMonitor","eventDescription"

(I've tried with and without quotes)

Labels (3)
0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

There's the problem.  Parsing with these settings happens at search time so the settings need to be on the search heads.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

mlovasco
Explorer

Yes, testing with verbose mode... none of my fields are appearing.

Should also mention that I'm Cloud, but my app is on a deployment server and being successfully deployed to appropriate clients.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

How are you testing this?  Are you using Verbose mode?

---
If this reply helps you, Karma would be appreciated.
0 Karma

mlovasco
Explorer

Yes, testing with verbose mode... none of my fields are appearing.

Should also mention that I'm Cloud, but my app is on a deployment server and being successfully deployed to appropriate clients.

Tags (1)
0 Karma

PickleRick
SplunkTrust
SplunkTrust

Wait a second. To which clients are you deploying this app?

0 Karma

mlovasco
Explorer

Hosts where these logs are located... 

0 Karma

richgalloway
SplunkTrust
SplunkTrust

There's the problem.  Parsing with these settings happens at search time so the settings need to be on the search heads.

---
If this reply helps you, Karma would be appreciated.

mlovasco
Explorer

Got it... will reroute my thinking.. thanks!

0 Karma

richgalloway
SplunkTrust
SplunkTrust
0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...