Getting Data In

Transforms.conf to props.conf?

patricianaguit
Explorer

I created a new app named sample_app_1. Inside my new app's local folder i created a transforms.conf that will be called to my props.conf. However, my configurations in both file didnt work properly. What seems to be the problem?

Below is my config:

props.conf
[sample_logs_12]

DATETIME_CONFIG =
NO_BINARY_CHECK = true
category = Custom
pulldown_type = true
REPORT-delimiter = sample_trans

transforms.conf

[sample_trans]
DELIMS = "\r\n", ":"

0 Karma

Elsurion
Communicator

You have stored the props.conf/transforms.conf under <sample_app_1>/default or <sample_app_1>/local?
these are the search paths of splunk where to look for these files.

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi patricianaguit,
at first, you're speaking of ingestion of a csv file or a field extraction at search time?

the method you're using is only to extract fields at search time, to ingest a csv file you have to follow a different approach (see at http://docs.splunk.com/Documentation/Splunk/7.0.2/Data/Extractfieldsfromfileswithstructureddata ).

Anyway, to extract fields at search time you have to create a props.conf like the one you used and a transforms.conf adding the following row with the list of your fields

FIELDS = <quoted string list>

as you can see at https://docs.splunk.com/Documentation/Splunk/7.0.2/Admin/Transformsconf

After, you can verify the way to deploy props and transforms to your

Bye.
Giuseppe

0 Karma

FrankVl
Ultra Champion

Are you deploying this on a single instance deployment? If not, on what type of splunk instance did you deploy this in you distributed environment?

What does the respective inputs.conf look like, what does the data look like and what does "didn't work properly" mean? Did you get some results but incorrect, or no extractions at all?

Regarding the props.conf: why do you have that empty DATETIME_CONFIG setting in there, maybe that breaks things?

Does splunkd.log on this instance report any issues after restarting? (did you even restart after deploying this app?)

0 Karma

patricianaguit
Explorer

I was trying to extract fields using "DELIMS". And no fields were extracted

Below is the example log:
Start time: 20171108163003
Username: admin_sample

0 Karma

493669
Super Champion

have you tried
transforms.conf

[sample_trans]
DELIMS = "\r\n", ":"
FIELDS = field1 , field2 
0 Karma

mayurr98
Super Champion

provide some sample logs and tell us what you are trying to achieve?

0 Karma

patricianaguit
Explorer

I was trying to extract fields using "DELIMS".

Below is the example log:
Start time: 20171108163003
Username: admin_sample

0 Karma
Get Updates on the Splunk Community!

Monitoring MariaDB and MySQL

In a previous post, we explored monitoring PostgreSQL and general best practices around which metrics to ...

Financial Services Industry Use Cases, ITSI Best Practices, and More New Articles ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Splunk Federated Analytics for Amazon Security Lake

Thursday, November 21, 2024  |  11AM PT / 2PM ET Register Now Join our session to see the technical ...