Splunk Search

Getting no data in extracted field after configuring data in props.conf and transform.conf

Tridi123
New Member

strong text Hi,
I am uploading my_file.txt in splunk under sourcetype TARGET_ONE.The content of my file
is
Fname|Mname|Lname|age|location
abhay|vikram|singh|26|kolkata
murari|kumar|bhartia|25|Bangalore

for field extraction I have defined props.conf and transform.conf as following:

props.conf

[TARGET_ONE]
NO_BINARY_CHECK = 1
pulldown_type = 1
KV_MODE=none
SHOULD_LINEMERGE=false
TRANSFORMS-comment=Extract_TARGET_ONE
REPORT-header=Extract_TARGET_ONE_fields

transform.conf

[Extract_TARGET_ONE]
REGEX=.*
DEST_KEY=queue
FORMAT=nullQueue
[Extract_TARGET_ONE_fields]
DELIMS = "|"
FIELDS = "Fname","Mname","Lname","age","location"

my input.conf file is looking like
[default]
host = CAPRSGDVWPSPL01

[monitor://C:\Users\lg133108\Desktop\TARGET_ONE\my_file.txt]
disabled = false
followTail = 0
sourcetype = TARGET_ONE

with this code actually i am getting fields extracted in splunk web but no value hasbeen extracted
under these fields.

As an example when i am writing the query

sourcetype=TARGET_ONE | table "Fname"

its retuning nothing.but field has been extracted.

Do i need modify regex in transform.conf??

can anybody help on this??

Tags (1)
0 Karma
1 Solution

Ayn
Legend

You don't get any extracted fields at all. When you do table somefields it will always output the header which includes the fieldnames, even if there are no matching events.

What you've done is configure Splunk to drop all events with sourcetype TARGET_ONE.

What are you trying to accomplish?

View solution in original post

Ayn
Legend

You don't get any extracted fields at all. When you do table somefields it will always output the header which includes the fieldnames, even if there are no matching events.

What you've done is configure Splunk to drop all events with sourcetype TARGET_ONE.

What are you trying to accomplish?

Tridi123
New Member

can u prove me some details?? it will be very helpful

0 Karma

Tridi123
New Member

then what procedure i will follow here?
to automate field extraction should i configure
props.conf and transforms.conf????

0 Karma

Ayn
Legend

That is no field extraction. That is an index-time transform that will match an incoming event against the regex .* (which means EVERYTHING) and send all matching events to the queue "nullQueue", which is the same as dropping the events completely.

Tridi123
New Member

this is to extract fields by configuring files

we are calling transforms.conf in props.conf
if can give me the solution via code it will be helpful
Thanks

0 Karma

Ayn
Legend

Then I'm confused about what the idea is with this:

TRANSFORMS-comment=Extract_TARGET_ONE

[Extract_TARGET_ONE]
REGEX=.*
DEST_KEY=queue
FORMAT=nullQueue
0 Karma

Tridi123
New Member

i want to index data and extract the fileds autometically by configuring
props.conf and transform.conf then i want to generate the tabular format of data representation

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...