Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- field extractions are not working
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
my field extractions are not working
tranforms.conf file is
[tms_iisfields]
FIELDS = "date","time","s-ip","cs-method","cs-uri-stem","cs-uri-query","s-port","cs-username","c-ip","cs(User-Agent)","sc-status","sc-substatus","sc-win32-status","time-taken"
props.conf file is
[iis-2]
rename=tms-iis
[tms-iis]
CHECK_FOR_HEADER = False
MAX_TIMESTAMP_LOOKAHEAD = 128
TIME_FORMAT = %Y-%m-%d %H:%M:%S
REPORT-tms_iisfields = tms_iisfields
and search output is
2011-12-19 13:35:56 172.27.70.10 GET /OTPAuthentication/Service.asmx - 443 - 72.246.50.40 Python-urllib/1.17 200 0 0 62
2011-12-19 13:35:56 172.27.70.10 GET /OTPAuthentication/Service.asmx - 443 - 72.247.36.53 Python-urllib/1.17 200 0 0 78
but not showing fields "date","time","s-ip","cs-method","cs-uri-stem","cs-uri-query","s-port","cs-username","c-ip","cs(User-Agent)","sc-status","sc-substatus","sc-win32-status","time-taken" in output
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
looks like this was the issue with the apps permission , now its working...
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
looks like this was the issue with the apps permission , now its working...
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
still its not working after writing DELIMS = " " in transforms.conf
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
it seems like you have forgotten to specify the delimiter in transforms.conf - try the following
[tms_iisfields]
FIELDS = "date","time","s-ip","cs-method","cs-uri-stem","cs-uri-query","s-port","cs-username","c-ip","cs(User-Agent)","sc-status","sc-substatus","sc-win32-status","time-taken"
DELIMS = " "
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Agent Mode Engaged! Enchaining Agentic Operations with Splunk AI Assistant 2.0
Announcing Modern Navigation: A New Era of Splunk User Experience
Modernize your Splunk Apps – Introducing Python 3.13 in Splunk
