Solved: We have tried to extract index time field extarcti...

rvinil · ‎02-17-2018

We have tried to extract index time field extraction, below are the details..
props.conf:-

[sourcetype]
TRANSFORMS-fieldname = fieldname

Transforms.conf:-

[fieldname]
REGEX = regexquery
FORMAT = fieldname::"$1"
SOURCE_KEY = fieldname

fields.conf:-

[fieldname]
INDEXED = true

Thanks in advance

micahkemp · ‎02-17-2018

You also need WRITE_META = true in your transform.

Also make sure your regex has a capturing group. Your format line says to use the first capture group as the field value.

nkchaitanya · ‎02-18-2018

try as

Transforms.conf
[fieldname]
REGEX =regex
FORMAT = fieldname::"$1"
SOURCE_KEY = fieldname
WRITE_META = true

in Props.conf
[sourcetype]
REPORT-fieldname = fieldname
NO_BINARY_CHECK = true
category = Custom
disabled = false
pulldown_type = true

micahkemp · ‎02-17-2018

You also need WRITE_META = true in your transform.

Also make sure your regex has a capturing group. Your format line says to use the first capture group as the field value.

rvinil · ‎02-19-2018

Hi Micahkemp,

Used the write_meta = true. Its working in my PC, when i used the same ".conf's" in office not able to get the data. Please suggest...

micahkemp · ‎03-01-2018

Which instance did you install this configuration on? It needs to go on the heavy forwarders and indexers.

We have tried to extract index time field extarction