Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

should i define source type in splunk or props.conf at first??

Tridi123
New Member
‎10-01-2012 09:59 AM

I am uploading my_file.txt in splunk under sourcetype TARGET_ONE.The content of my file is Fname|Mname|Lname|age|location abhay|vikram|singh|26|kolkata murari|kumar|bhartia|25|Bangalore

for field extraction I have defined props.conf and transform.conf as following:

props.conf

[TARGET_ONE]
NO_BINARY_CHECK = 1
pulldown_type = 1
KV_MODE=none
SHOULD_LINEMERGE=false
TRANSFORMS-comment=Extract_TARGET_ONE

transforms.conf
[Extract_TARGET_ONE]
DELIMS = "|"
FIELDS = "Fname","Mname","Lname","age","location"

but should i define it in props.conf and transform.conf before defining in splunk-web sourcetype??

can any one teel is there any wrong with code because i want to avoid regex i want extarct all fields with Delims.

If some one provide me with some code detais it wiil be helpful as my final objective is to bring my_file data as tabular format writing table quiery in search time??

Tags (1)
0 Karma
Reply

bmacias84
Champion
‎10-01-2012 10:18 AM

Editing the props.conf and transforms.conf directly is the same as using the splunk-web interface to define sourcetypes and transforms. However the splunk-web interface does NOT give you the ability to use some of the more advanced setttings/stanzas. Another thing to note is by edit throught he splunk-web interface you are NOT required to restart splunk, by edit the files directly splunk sometimes requires a restart for your changes to take effect.

With regards to your transforms and props file don't see any cause for alarm and it should work just fine, but I can only really guess since your sample is fairly small. I will say that the pulldown_type is an Internal Settings that specifies "NOT YOURS. DO NOT SET".

Reply

Tridi123
New Member
‎10-02-2012 03:22 AM

then for extraction can i set

CHECK_FOR_HEADER=TRUE (for automating extraction header)
then for extraction i have to write in props.conf only.

actual file size is very bug and it conatin 25 fields with delimiter "|"

0 Karma
Reply

bmacias84
Champion
‎10-01-2012 12:58 PM

I agree with Ayn. After many conversations with Splunk staff, they recommend doing all field extraction in search-time. TRANSFROM is an Index-time operation and has performance implications. Also creates additions to
Splunk's default set of indexed fields. Moding those defaults can have all types of unintended results.

USE instead:



REPORT-comment=Extract_TARGET_ONE





EXTRACT-comment=Extract_TARGET_ONE

0 Karma
Reply

Ayn
Legend
‎10-01-2012 11:49 AM

The TRANSFORMS directive is for index-time extractions. These should not be used unless absolutely necessary, and only by people who really know what they're doing. Use REPORT for search-time extractions.

Reply
Get Updates on the Splunk Community!

Splunk Observability Cloud’s AI Assistant in Action Series: Analyzing and ...

This is the second post in our Splunk Observability Cloud’s AI Assistant in Action series, in which we look at ...

Elevate Your Organization with Splunk’s Next Platform Evolution

 Thursday, July 10, 2025  |  11AM PDT / 2PM EDT Whether you're managing complex deployments or looking to ...

Splunk Answers Content Calendar, June Edition

Get ready for this week’s post dedicated to Splunk Dashboards! We're celebrating the power of community by ...
Top