Getting Data In

Splunk indexing using everyother fieldname

Communicator

I am running into an issue with my transforms and props config files, my data is being logged properly to my index but when I set my fields in the transforms.conf it only takes everyother fieldname. Below are my transforms.conf stanza with the work-around I have implemented and my props.conf, clearly this is a bad method and i am trying to figure out why splunk would be taking everyother fieldname

transforms.conf

    [mySourcetype]
     DELIMS = ", "
     FIELDS = "timestamp", "", "levelname", "", "someid", "", "somecode", "", "someothercode", "",      "someotherid"

That empty double bracket is the only way for my logs to be formatted properly.

props.conf

  [mySourcetype]
  TRUNCATE = 0
  MAX_EVENTS = 10000
  MAX_TIMESTAMP_LOOKAHEAD = 60
  SHOULD_LINEMERGE = false
  TIME_FORMAT = %Y-%m-%d %H:%M:%S
  REPORT-mySourcetype = mySourcetype
  BREAK_ONLY_BEFORE = TIMESTAMP
  KV_MODE = auto
  given_type = csv
0 Karma

Communicator

A sample bit of my data looks like this:

"2014-01-06 10:22:19", "[INFO]", "SomeID", "ABCD", "EFGH", "1234"

"2014-01-06 10:22:19", "[DEBUG]", "SomeOtherID", "AAAA", "BBBB", "ABABA"

0 Karma

Legend

It looks like you have both a comma and a space in your DELIMS

DELIMS = ", "

So you are telling Splunk that both a comma and a space are a delimiter. If your data looks like this

Mary, 12345, Utah
Pat, 98765, Virginia

Then perhaps Splunk is seeing the data like this

Mary<delim>null<delim>12345<delim>null<delim>Utah
etc.

Try
DELIMS = ","

Also, as others have suggested, a sample of your data would also be very helpful.

Legend

In props.conf, I think you should set

KV_MODE = none

since you are explicitly extracting the fields in transforms.conf - And Very Important:
YOU SHOULD NOT SET given_type, so remove

given_type = csv

0 Karma

Communicator

A backslash between first set of double quotes, and backslash before second pair.

0 Karma

Communicator

removing the space from my DELIMS stanza fixes one problem but then because my data is quoted and separated by commas the data is coming into Splunk with the quotes. This causes me to have to use a escape character to run any search. For example:

levelname="\"[INFO]\""

This is how I would have to run a search

0 Karma

Splunk Employee
Splunk Employee

I can't replicate your issue. The empty double bracket should not be an issue. What version are you running?
Can you post an obfuscated data sample?

0 Karma

SplunkTrust
SplunkTrust

Please provide an example of your data.

---
If this reply helps you, an upvote would be appreciated.
0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!