strong text Hi,
I am uploading my_file.txt in splunk under sourcetype TARGET_ONE.The content of my file
is
Fname|Mname|Lname|age|location
abhay|vikram|singh|26|kolkata
murari|kumar|bhartia|25|Bangalore
for field extraction I have defined props.conf and transform.conf as following:
props.conf
[TARGET_ONE]
NO_BINARY_CHECK = 1
pulldown_type = 1
KV_MODE=none
SHOULD_LINEMERGE=false
TRANSFORMS-comment=Extract_TARGET_ONE
REPORT-header=Extract_TARGET_ONE_fields
transform.conf
[Extract_TARGET_ONE]
REGEX=.*
DEST_KEY=queue
FORMAT=nullQueue
[Extract_TARGET_ONE_fields]
DELIMS = "|"
FIELDS = "Fname","Mname","Lname","age","location"
my input.conf file is looking like
[default]
host = CAPRSGDVWPSPL01
[monitor://C:\Users\lg133108\Desktop\TARGET_ONE\my_file.txt]
disabled = false
followTail = 0
sourcetype = TARGET_ONE
with this code actually i am getting fields extracted in splunk web but no value hasbeen extracted
under these fields.
As an example when i am writing the query
sourcetype=TARGET_ONE | table "Fname"
its retuning nothing.but field has been extracted.
Do i need modify regex in transform.conf??
can anybody help on this??
You don't get any extracted fields at all. When you do table somefields
it will always output the header which includes the fieldnames, even if there are no matching events.
What you've done is configure Splunk to drop all events with sourcetype TARGET_ONE
.
What are you trying to accomplish?
You don't get any extracted fields at all. When you do table somefields
it will always output the header which includes the fieldnames, even if there are no matching events.
What you've done is configure Splunk to drop all events with sourcetype TARGET_ONE
.
What are you trying to accomplish?
can u prove me some details?? it will be very helpful
then what procedure i will follow here?
to automate field extraction should i configure
props.conf and transforms.conf????
That is no field extraction. That is an index-time transform that will match an incoming event against the regex .*
(which means EVERYTHING) and send all matching events to the queue "nullQueue", which is the same as dropping the events completely.
this is to extract fields by configuring files
we are calling transforms.conf in props.conf
if can give me the solution via code it will be helpful
Thanks
Then I'm confused about what the idea is with this:
TRANSFORMS-comment=Extract_TARGET_ONE
[Extract_TARGET_ONE]
REGEX=.*
DEST_KEY=queue
FORMAT=nullQueue
i want to index data and extract the fileds autometically by configuring
props.conf and transform.conf then i want to generate the tabular format of data representation