Splunk Search

No results showing up in search after adding source

sourabhguha
Explorer

Hi,

Following is my input. It is a set of tab delimited files. Here is a sample. I made updates to props.conf and transforms.conf. I have included the sections for it below.

When I go to the Search app - no data showing up in the data summary. I get a message saying "Waiting for data"

30cb85e3-a3e5-46f9-89e6-3fc0ff9ea70c 3bf80a12-74f8-d104-1d0d-7a05bd517eb4 San Jose \N 4.0 \N \N \N 4.0 \N \N \N 7.999561309814453 1.57784907023112 6.421712239583333 80.2758050207666 7.999561309814453 \N \N \N 2013-10-26 00:00:00 2013-10-26 00:59:59

I did local updates to props.conf and transforms.conf. here are the updates to it.
PROPS.CONF
[ComputeUtilization2]
NO_BINARY_CHECK = 1
SHOULD_LINEMERGE = false
TIME_FORMAT = %M-%D-%Y %H:%M:%S
TIME_PREFIX = ^([^\t]*\t){20}
pulldown_type = 1
REPORT = getcsvfields

TRANSFORMS.CONF
[getcsvfields]
DELIMS = "\t"
FIELDS = tenant,MGId,HostGroup,TotalVMsPerHG,TotalpCoreForHG,UsedpCoreForHG,FreepCoreForHG,CoreAvailabilityPercentForHG,AvgTotalCoresPerHost,vCoresPerVMForHG,vCoreTopCoreRatio,FreevCoresForHG,TotalpMemInGBForHG,UsedpMemInGBForHG,FreepMemInGBForHG,MemAvailabilityPercentForHG,AvgTotalMemoryPerHost,vMemPerVMForHG,vMemTopMemRatio,FreevMemForHG,BucketStartTime,BucketEndTime

Tags (1)
0 Karma

ShaneNewman
Motivator

PROPS.CONF

[ComputeUtilization2]
NO_BINARY_CHECK = 1
SHOULD_LINEMERGE = false
TIME_FORMAT = %M-%D-%Y %H:%M:%S
TIME_PREFIX = ^([\w\-\.]+\s+){21}
pulldown_type = 1
REPORT = getcsvfields

TRANSFORMS.CONF

[getcsvfields]
DELIMS = "\t"
FIELDS = tenant, MGId, HostGroup, TotalVMsPerHG, TotalpCoreForHG, UsedpCoreForHG, FreepCoreForHG, CoreAvailabilityPercentForHG, AvgTotalCoresPerHost, vCoresPerVMForHG, vCoreTopCoreRatio, FreevCoresForHG, TotalpMemInGBForHG, UsedpMemInGBForHG, FreepMemInGBForHG, MemAvailabilityPercentForHG, AvgTotalMemoryPerHost, vMemPerVMForHG, vMemTopMemRatio, FreevMemForHG, BucketStartTime, BucketEndTime
0 Karma

ShaneNewman
Motivator

go to the search bar and pipe your main search to | extract getcsvfields

Does that extract the fields correctly?

0 Karma

sourabhguha
Explorer

btw, here's what i am doing to update the configs. i am updating the files in the following location.

C:\Program Files\Splunk\etc\system\local

then going to splunk UI and restarting the server.

0 Karma

sourabhguha
Explorer

Hi, I tried the above updates. But am still having the same issue. Is there any additional information that I can send.

0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...