I created a new app named sample_app_1. Inside my new app's local folder i created a transforms.conf that will be called to my props.conf. However, my configurations in both file didnt work properly. What seems to be the problem?
Below is my config:
props.conf
[sample_logs_12]
DATETIME_CONFIG =
NO_BINARY_CHECK = true
category = Custom
pulldown_type = true
REPORT-delimiter = sample_trans
transforms.conf
[sample_trans]
DELIMS = "\r\n", ":"
You have stored the props.conf/transforms.conf under <sample_app_1>/default
or <sample_app_1>/local
?
these are the search paths of splunk where to look for these files.
Hi patricianaguit,
at first, you're speaking of ingestion of a csv file or a field extraction at search time?
the method you're using is only to extract fields at search time, to ingest a csv file you have to follow a different approach (see at http://docs.splunk.com/Documentation/Splunk/7.0.2/Data/Extractfieldsfromfileswithstructureddata ).
Anyway, to extract fields at search time you have to create a props.conf like the one you used and a transforms.conf adding the following row with the list of your fields
FIELDS = <quoted string list>
as you can see at https://docs.splunk.com/Documentation/Splunk/7.0.2/Admin/Transformsconf
After, you can verify the way to deploy props and transforms to your
Bye.
Giuseppe
Are you deploying this on a single instance deployment? If not, on what type of splunk instance did you deploy this in you distributed environment?
What does the respective inputs.conf look like, what does the data look like and what does "didn't work properly" mean? Did you get some results but incorrect, or no extractions at all?
Regarding the props.conf: why do you have that empty DATETIME_CONFIG setting in there, maybe that breaks things?
Does splunkd.log on this instance report any issues after restarting? (did you even restart after deploying this app?)
I was trying to extract fields using "DELIMS". And no fields were extracted
Below is the example log:
Start time: 20171108163003
Username: admin_sample
have you tried
transforms.conf
[sample_trans]
DELIMS = "\r\n", ":"
FIELDS = field1 , field2
provide some sample logs and tell us what you are trying to achieve?
I was trying to extract fields using "DELIMS".
Below is the example log:
Start time: 20171108163003
Username: admin_sample