Splunk Search

Getting no data in extracted field after configuring data in props.conf and transform.conf

Tridi123
New Member

strong text Hi,
I am uploading my_file.txt in splunk under sourcetype TARGET_ONE.The content of my file
is
Fname|Mname|Lname|age|location
abhay|vikram|singh|26|kolkata
murari|kumar|bhartia|25|Bangalore

for field extraction I have defined props.conf and transform.conf as following:

props.conf

[TARGET_ONE]
NO_BINARY_CHECK = 1
pulldown_type = 1
KV_MODE=none
SHOULD_LINEMERGE=false
TRANSFORMS-comment=Extract_TARGET_ONE
REPORT-header=Extract_TARGET_ONE_fields

transform.conf

[Extract_TARGET_ONE]
REGEX=.*
DEST_KEY=queue
FORMAT=nullQueue
[Extract_TARGET_ONE_fields]
DELIMS = "|"
FIELDS = "Fname","Mname","Lname","age","location"

my input.conf file is looking like
[default]
host = CAPRSGDVWPSPL01

[monitor://C:\Users\lg133108\Desktop\TARGET_ONE\my_file.txt]
disabled = false
followTail = 0
sourcetype = TARGET_ONE

with this code actually i am getting fields extracted in splunk web but no value hasbeen extracted
under these fields.

As an example when i am writing the query

sourcetype=TARGET_ONE | table "Fname"

its retuning nothing.but field has been extracted.

Do i need modify regex in transform.conf??

can anybody help on this??

Tags (1)
0 Karma
1 Solution

Ayn
Legend

You don't get any extracted fields at all. When you do table somefields it will always output the header which includes the fieldnames, even if there are no matching events.

What you've done is configure Splunk to drop all events with sourcetype TARGET_ONE.

What are you trying to accomplish?

View solution in original post

Ayn
Legend

You don't get any extracted fields at all. When you do table somefields it will always output the header which includes the fieldnames, even if there are no matching events.

What you've done is configure Splunk to drop all events with sourcetype TARGET_ONE.

What are you trying to accomplish?

Tridi123
New Member

can u prove me some details?? it will be very helpful

0 Karma

Tridi123
New Member

then what procedure i will follow here?
to automate field extraction should i configure
props.conf and transforms.conf????

0 Karma

Ayn
Legend

That is no field extraction. That is an index-time transform that will match an incoming event against the regex .* (which means EVERYTHING) and send all matching events to the queue "nullQueue", which is the same as dropping the events completely.

Tridi123
New Member

this is to extract fields by configuring files

we are calling transforms.conf in props.conf
if can give me the solution via code it will be helpful
Thanks

0 Karma

Ayn
Legend

Then I'm confused about what the idea is with this:

TRANSFORMS-comment=Extract_TARGET_ONE

[Extract_TARGET_ONE]
REGEX=.*
DEST_KEY=queue
FORMAT=nullQueue
0 Karma

Tridi123
New Member

i want to index data and extract the fileds autometically by configuring
props.conf and transform.conf then i want to generate the tabular format of data representation

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...