Hi,
I am currently working in a new environment where I am trying to do field extraction based of pipe delimiter.
1) A new app (say my_app) with only inputs.conf is pushed onto the target uf through the deployment server.
inputs.conf:
[monitor:///path1/file1]
index=my_index
soyrcetype=my_st
2) Data is getting ingested and the requirement is to do field extraction on all the events separated by pipe delimiter (12345|2021-09-12 11:12:34 345|INFO|blah|blah|blah blah)
My approach followed
1) Create a new app (plain folder my_app) on my deployer and push it to the search heads with below conf files
I felt it was simple to achieve and did this. somehow it's not working. Did I miss any step to link the app on forwarder and the shc?
ls my_app/default/
app.conf props.conf transforms.conf
props.conf
[my_st]
REPORT-getfields = getfields
transforms.conf
[getfields]
DELIMS = "|"
FIELDS = "thread_id","timestamp","loglevel","log_tag","message"
Just to make sure - that "soyrcetype" is just a typo on forums, not in your actual config?
Yes, sourcetypes and indexes are just examples in this forum. My config doesnt have typos
@isoutamo - it worked after setting up permissions in default.meta. Thanks for your reply. it worked 🙂