Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

field is not getting extracted in splunk web interface

Tridi123
New Member
‎10-04-2012 05:41 AM

hi
my inputfile looks like
empid|name|age
356102|tutun|27
365771|king|28
i have configured props.conf file and transforms.conf in location C:\Program Files\Splunk\etc\system\local which is as below:

**props.conf**
[text] 
NO_BINARY_CHECK = 1 
KV_MODE=none 
SHOULD_LINEMERGE=false
REPORT-comment=Extract_text

**transforms.conf**
[Extract_text] 
DELIMS= "|"
FIELDS= "empid","name","age"

but after restarting splunk i am not getting the fields empid,name and age getting extracted in splunk web interface on left panel
can any one help on this becuase my requirement is to make log data in table format using table query in
web interface

Tags (1)
0 Karma
Reply

sdaniels
Splunk Employee
Splunk Employee
‎10-04-2012 06:08 AM

I believe that your inputs.conf needs to reference a sourcetype. The sourcetype is the classification of your data.

http://docs.splunk.com/Documentation/Splunk/5.0/Data/Whysourcetypesmatter

In props.conf you have a stanza with [text] therefore the sourcetype set for your input should have:

[default] 
host = 01HW447731
sourcetype=text

http://docs.splunk.com/Documentation/Splunk/5.0/admin/Propsconf

[]
* This stanza enables properties for a given .
* A props.conf file can contain multiple stanzas for any number of different .
* Follow this stanza name with any number of the following attribute/value pairs, as appropriate
for what you want to do.
* If you do not set an attribute for a given , the default is used.

can be:
1. , the source type of an event.
2. host::, where is the host for an event.
3. source::, where is the source for an event.
4. rule::, where is a unique name of a source type classification rule.
5. delayedrule::, where is a unique name of a delayed source type
classification rule.
These are only considered as a last resort before generating a new source type based on the
source seen.

0 Karma
Reply

Ayn
Legend
‎10-04-2012 06:03 AM

inputs.conf on the host you got this data from, please.

0 Karma
Reply

Tridi123
New Member
‎10-04-2012 06:02 AM

location for inputs.conf is C:\Program Files\Splunk\etc\system\local

0 Karma
Reply

Tridi123
New Member
‎10-04-2012 06:01 AM

inputs.conf looks like
[default]
host = 01HW447731

0 Karma
Reply

alacercogitatus
SplunkTrust
SplunkTrust
‎10-04-2012 05:52 AM

Try putting a space between FIELDS so it looks like this:

FIELDS = "empid", "name", "age"

http://docs.splunk.com/Documentation/Splunk/5.0/admin/Transformsconf

0 Karma
Reply

Tridi123
New Member
‎10-04-2012 06:03 AM

location C:\Program Files\Splunk\etc\system\local
inputs.conf looks like
[default]
host = 01HW447731

do i need to change it??

0 Karma
Reply

sdaniels
Splunk Employee
Splunk Employee
‎10-04-2012 05:44 AM

Can you add your inputs.conf settings to your original question as well.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Security Content for Threat Detection & Response, Q1 Roundup

Join Principal Threat Researcher, Michael Haag, as he walks through:An introduction to the Splunk Threat ...

Splunk Life | Happy Pride Month!

Happy Pride Month, Splunk Community! 🌈 In the United States, as well as many countries around the ...

SplunkTrust | Where Are They Now - Michael Uschmann

The Background Five years ago, Splunk published several videos showcasing members of the SplunkTrust to share ...