Getting Data In

Transforms.conf to props.conf?

Explorer

I created a new app named sample_app_1. Inside my new app's local folder i created a transforms.conf that will be called to my props.conf. However, my configurations in both file didnt work properly. What seems to be the problem?

Below is my config:

props.conf
[sample_logs_12]

DATETIME_CONFIG =
NO_BINARY_CHECK = true
category = Custom
pulldown_type = true
REPORT-delimiter = sample_trans

transforms.conf

[sample_trans]
DELIMS = "\r\n", ":"

0 Karma

Communicator

You have stored the props.conf/transforms.conf under <sample_app_1>/default or <sample_app_1>/local?
these are the search paths of splunk where to look for these files.

0 Karma

Legend

Hi patricianaguit,
at first, you're speaking of ingestion of a csv file or a field extraction at search time?

the method you're using is only to extract fields at search time, to ingest a csv file you have to follow a different approach (see at http://docs.splunk.com/Documentation/Splunk/7.0.2/Data/Extractfieldsfromfileswithstructureddata ).

Anyway, to extract fields at search time you have to create a props.conf like the one you used and a transforms.conf adding the following row with the list of your fields

FIELDS = <quoted string list>

as you can see at https://docs.splunk.com/Documentation/Splunk/7.0.2/Admin/Transformsconf

After, you can verify the way to deploy props and transforms to your

Bye.
Giuseppe

0 Karma

Ultra Champion

Are you deploying this on a single instance deployment? If not, on what type of splunk instance did you deploy this in you distributed environment?

What does the respective inputs.conf look like, what does the data look like and what does "didn't work properly" mean? Did you get some results but incorrect, or no extractions at all?

Regarding the props.conf: why do you have that empty DATETIME_CONFIG setting in there, maybe that breaks things?

Does splunkd.log on this instance report any issues after restarting? (did you even restart after deploying this app?)

0 Karma

Explorer

I was trying to extract fields using "DELIMS". And no fields were extracted

Below is the example log:
Start time: 20171108163003
Username: admin_sample

0 Karma

Super Champion

have you tried
transforms.conf

[sample_trans]
DELIMS = "\r\n", ":"
FIELDS = field1 , field2 
0 Karma

SplunkTrust
SplunkTrust

provide some sample logs and tell us what you are trying to achieve?

0 Karma

Explorer

I was trying to extract fields using "DELIMS".

Below is the example log:
Start time: 20171108163003
Username: admin_sample

0 Karma