Getting Data In
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

should i define source type in splunk or props.conf at first??

Tridi123
New Member
‎10-01-2012 09:59 AM

I am uploading my_file.txt in splunk under sourcetype TARGET_ONE.The content of my file is Fname|Mname|Lname|age|location abhay|vikram|singh|26|kolkata murari|kumar|bhartia|25|Bangalore

for field extraction I have defined props.conf and transform.conf as following:

props.conf

[TARGET_ONE]
NO_BINARY_CHECK = 1
pulldown_type = 1
KV_MODE=none
SHOULD_LINEMERGE=false
TRANSFORMS-comment=Extract_TARGET_ONE

transforms.conf
[Extract_TARGET_ONE]
DELIMS = "|"
FIELDS = "Fname","Mname","Lname","age","location"

but should i define it in props.conf and transform.conf before defining in splunk-web sourcetype??

can any one teel is there any wrong with code because i want to avoid regex i want extarct all fields with Delims.

If some one provide me with some code detais it wiil be helpful as my final objective is to bring my_file data as tabular format writing table quiery in search time??

Tags (1)
0 Karma
Reply

bmacias84
Champion
‎10-01-2012 10:18 AM

Editing the props.conf and transforms.conf directly is the same as using the splunk-web interface to define sourcetypes and transforms. However the splunk-web interface does NOT give you the ability to use some of the more advanced setttings/stanzas. Another thing to note is by edit throught he splunk-web interface you are NOT required to restart splunk, by edit the files directly splunk sometimes requires a restart for your changes to take effect.

With regards to your transforms and props file don't see any cause for alarm and it should work just fine, but I can only really guess since your sample is fairly small. I will say that the pulldown_type is an Internal Settings that specifies "NOT YOURS. DO NOT SET".

Reply

Tridi123
New Member
‎10-02-2012 03:22 AM

then for extraction can i set

CHECK_FOR_HEADER=TRUE (for automating extraction header)
then for extraction i have to write in props.conf only.

actual file size is very bug and it conatin 25 fields with delimiter "|"

0 Karma
Reply

bmacias84
Champion
‎10-01-2012 12:58 PM

I agree with Ayn. After many conversations with Splunk staff, they recommend doing all field extraction in search-time. TRANSFROM is an Index-time operation and has performance implications. Also creates additions to
Splunk's default set of indexed fields. Moding those defaults can have all types of unintended results.

USE instead:



REPORT-comment=Extract_TARGET_ONE





EXTRACT-comment=Extract_TARGET_ONE

0 Karma
Reply

Ayn
Legend
‎10-01-2012 11:49 AM

The TRANSFORMS directive is for index-time extractions. These should not be used unless absolutely necessary, and only by people who really know what they're doing. Use REPORT for search-time extractions.

Reply
Get Updates on the Splunk Community!

Developer Spotlight with Brett Adams

In our third Spotlight feature, we're excited to shine a light on Brett—a Splunk consultant, innovative ...

Index This | What can you do to make 55,555 equal 500?

April 2025 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...

In today’s evolving threat landscape, we understand you’re constantly bombarded with phishing and malware ...
Top