I have a app that is deployed on a host that polls a csv file. I can get data in to the Splunk indexer, but it does not recognize the fields as described in the transforms.conf file located in the apps default directory. Here is what I have.
C:\Program
Files\SplunkUniversalForwarder\etc\apps\vievents\default
inputs.conf
[monitor://E:\Logs\vcenter\vievents.csv]
disabled = false
sourcetype = vievents_csv
props.conf
[vievents_csv]
SHOULD_LINEMERGE = false
TRANSFORMS-vievents = vievents_extractions
transforms.conf
[vievents_extractions]
DELIMS=","
FIELDS="CreatedTime","Key","ChainId","EventType","UserName","Datacenter","ComputeResource","Host","Vm","Ds","Net","Dvs","FullFormattedMessage"
How do I get splunk to recognize the fields? Thanks.
... View more