Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to edit my props and transforms for proper extraction and output when searching select fields?

shreyasathavale
Communicator
‎03-26-2015 03:16 PM

I have setup a search to read a log file which is in txt format and it has various fields. What i want is when i run a search, it should give selected fields as output by reading the log file. Currently it is giving output what it is in log file as it is.
I have made changes in props.conf and transforms.conf, but still no use

transforms.conf:

FIELDS="Timestamp","Name","Success"
DELIMS=","

props.conf:

INDEXED_EXTRACTIONS = "Name of what i put in transforms.conf"
TZ = UTC
0 Karma
Reply

maciep
Champion
‎03-26-2015 07:30 PM

I believe INDEXED_EXTRACTIONS actually happens at input time and doesn't use transforms at all. Instead, you probably want search time extractions on your data. So try changing INDEXED_EXTRACTIONS to REPORT- in your props. For example:

Props.conf

[your_sourcetype]
REPORT-headers1 = my_sourcetype_headers
TZ = UTC

Transforms.conf

[my_sourcetype_headers]
FIELDS="Timestamp","Name","Success"
DELIMS=","
0 Karma
Reply
Get Updates on the Splunk Community!

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

🔐 Trust at Every Hop: How mTLS in Splunk Enterprise 10.0 Makes Security Simpler

From Idea to Implementation: Why Splunk Built mTLS into Splunk Enterprise 10.0  mTLS wasn’t just a checkbox ...