I have the following entry in my local input.conf file.
[script://.\bin\execPS.cmd zDBA_AAG_Server.ps1]
source = Powershell
sourcetype = testType
interval = 10
index = mssql
The contents of the batch wrapper execPS.cmd file:
@ECHO OFF
SET MYSPLUNKAPP=Splunk_TA_windows
SET SPLUNK_HOME="C:\Program Files\SplunkUniversalForwarder"
Powershell -command ". '%SPLUNK_HOME%\etc\apps\%MYSPLUNKAPP%\bin\powershell\%1'"
The output is 7 fields and pipe delimited. Which Splunk figures out the first half of each event/row/record. The fourth (and seventh) field has d.hh:mm:ss and I think this throws Splunk off because when I search the index, the events have no data in fields 4-7. Just the pipes.
Server01|10.10.1.10|Windows 2012|.::||||.::
How do I explicitly define the pipe char as the field delimiter?
I've tried these two entries in the transforms.conf file, but neither seemed to work.
[Powershell]
DELIMS="|"
FIELDS="Col1","Col2","Col3","Col4","Col5","Col6","Col7"
and
[testType]
DELIMS="|"
FIELDS="Col1","Col2","Col3","Col4","Col5","Col6","Col7"
Thanks
... View more