Knowledge Management
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Why arent my props/transforms extracting

tkw03
Communicator
‎10-07-2020 06:17 AM

Hello

I have a field extraction set to extract headers from .txt files. I added the props and transforms to the indexers as well as the search heads but for some reason it isnt working.

 

My props on indexers and search heads:

[storage:data:updated]
CHARSET=UTF-8
DATETIME_CONFIG=CURRENT
LINE_BREAKER=([\r\n]+)
NO_BINARY_CHECK=null
SHOULD_LINEMERGE=false
disabled=false
pulldown_type=true
TRANSFORMS-splitfieldsv2 = storage-fieldsv2

And my transforms

[storage-fieldsv2]
CLEAN_KEYS = 0
REGEX = ^ *(?<Type>directory|file) +(?<AppliesTo>[^ ]+) +(?<Path>.+) +(?<Snap>[^ ]+) +(?<Hard>[^ ]+) +(?<Soft>[^ ]+) +(?<Adv>[^ ]+) +(?<Used>[^ ]+) +(?<Efficiency>\d+\.\d+\s\:\s\d+) *$

 

I know the extraction is right as I created by testing in my regex tester.

But for some reason this isnt working in testing. The only place I havent added this is to the UF since I was testing manually before adding tio the UF and sending the data? 

 

Any idea why this isnt working?

 

Hers a sample of the .txt file:

Type      AppliesTo  Path                             Snap  Hard    Soft  Adv    Used  Efficiency
--------------------------------------------------------------------------------------------------
directory DEFAULT    /ifs/data/stuff/T1000-Reports No    100.00M -     99.00M 53.00 0.00 : 1
--------------------------------------------------------------------------------------------------
Total: 1

Thanks for the assistance

Labels (2)
Labels
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎10-07-2020 07:06 AM

Did you restart the indexers and search heads after modifying the config files?

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

tkw03
Communicator
‎10-07-2020 09:14 AM

Well, I pushed the apps via the Cluster Masters(SH and indexer) So I would assume it restarted as necessary. I'll rolling restart my test env to make sure though.

0 Karma
Reply

tkw03
Communicator
‎10-07-2020 09:20 AM

Restart was not the issue

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...