This question may seem pretty silly but I'm really clueless about SPLUNK.
I do know where to configure the props.conf,however,I'm not too sure how do I configure the transform.conf for my logs. How do I go about doing it?
Do I put the transform.conf into the field where I input my props.conf as well? (At the start when I'm importing my data into SPLUNK)
Please help me!
Hi JeffTanYH
If your props.conf is looking sometyhing like
[source::"yoursource"]
"some props.conf entries e.g KV_MODE,SEDCMD"
REPORT-report = unclean
then it will reference the stanza "unclean" in transforms.conf
your transforms.conf would look like
[unclean]
CLEAN_KEYS = 0
DELIMS = "(""|", "="
Hope that clears things up for you
Mat
Not sure exactly what you are asking. Transforms.conf would be located in the same folder as props.conf. I would suggest looking at some other answers on here to find one that matches what you are trying to accomplish.
http://splunk-base.splunk.com/search/?q=transforms.conf
You are probably looking to do one of the following:
Customize field extraction at index-time
Route and filter data
Specification and example files for transforms.conf
Create and maintain search-time field extractions through configuration files
http://docs.splunk.com/Special:SplunkSearch/docs?q=transforms.conf