Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Splunk indexing using everyother fieldname

JoeSco27
Communicator
‎01-02-2014 07:35 AM

I am running into an issue with my transforms and props config files, my data is being logged properly to my index but when I set my fields in the transforms.conf it only takes everyother fieldname. Below are my transforms.conf stanza with the work-around I have implemented and my props.conf, clearly this is a bad method and i am trying to figure out why splunk would be taking everyother fieldname

transforms.conf

    [mySourcetype]
     DELIMS = ", "
     FIELDS = "timestamp", "", "levelname", "", "someid", "", "somecode", "", "someothercode", "",      "someotherid"

That empty double bracket is the only way for my logs to be formatted properly.

props.conf

  [mySourcetype]
  TRUNCATE = 0
  MAX_EVENTS = 10000
  MAX_TIMESTAMP_LOOKAHEAD = 60
  SHOULD_LINEMERGE = false
  TIME_FORMAT = %Y-%m-%d %H:%M:%S
  REPORT-mySourcetype = mySourcetype
  BREAK_ONLY_BEFORE = TIMESTAMP
  KV_MODE = auto
  given_type = csv
0 Karma
Reply

JoeSco27
Communicator
‎01-06-2014 07:31 AM

A sample bit of my data looks like this:

"2014-01-06 10:22:19", "[INFO]", "SomeID", "ABCD", "EFGH", "1234"

"2014-01-06 10:22:19", "[DEBUG]", "SomeOtherID", "AAAA", "BBBB", "ABABA"

0 Karma
Reply

lguinn2
Legend
‎01-02-2014 06:04 PM

It looks like you have both a comma and a space in your DELIMS

DELIMS = ", "

So you are telling Splunk that both a comma and a space are a delimiter. If your data looks like this

Mary, 12345, Utah
Pat, 98765, Virginia

Then perhaps Splunk is seeing the data like this

Mary<delim>null<delim>12345<delim>null<delim>Utah
etc.

Try
DELIMS = ","

Also, as others have suggested, a sample of your data would also be very helpful.

Reply

lguinn2
Legend
‎01-06-2014 02:01 PM

In props.conf, I think you should set

KV_MODE = none

since you are explicitly extracting the fields in transforms.conf - And Very Important:
YOU SHOULD NOT SET given_type, so remove

given_type = csv

0 Karma
Reply

JoeSco27
Communicator
‎01-06-2014 07:35 AM

A backslash between first set of double quotes, and backslash before second pair.

0 Karma
Reply

JoeSco27
Communicator
‎01-06-2014 07:35 AM

removing the space from my DELIMS stanza fixes one problem but then because my data is quoted and separated by commas the data is coming into Splunk with the quotes. This causes me to have to use a escape character to run any search. For example:

levelname="\"[INFO]\""

This is how I would have to run a search

0 Karma
Reply

jharty_splunk
Splunk Employee
Splunk Employee
‎01-02-2014 09:30 AM

I can't replicate your issue. The empty double bracket should not be an issue. What version are you running?
Can you post an obfuscated data sample?

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎01-02-2014 08:11 AM

Please provide an example of your data.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Hello Splunkers,   So you searched, “what is the name of the usb key inserted by bob smith?”  Not gonna lie… ...

Automating Threat Operations and Threat Hunting with Recorded Future

    Automating Threat Operations and Threat Hunting with Recorded Future June 29, 2026 | Register   Is your ...