(Adding as answer since I cannot post this as comment)
Sorry to confuse with 2 postings. I was monitoring the other one. You may be right on about the leakage!!! I don't know how this is happening. If I have my transforms exactly like above, I get a blank when I run the command. BUT - when I have the first line in transforms.conf as blank line and run the command I get this :
C:\Program Files\Splunk\bin>btool transforms list test
[test]
CAN_OPTIMIZE = True
CLEAN_KEYS = True
DEFAULT_VALUE =
DELIMS = ","\par
DEST_KEY =
FIELDS = "severity", "alm_no", "site_id", "alm_type","rsv1", "start_time", "end_
time","duration", "rsv2"\par
FORMAT =
LOOKAHEAD = 4096
MV_ADD = False
REGEX =
SOURCE_KEY = _raw
WRITE_META = False
What in the world in \par at the end of my DELIMS? I don't see it when I open the file. Is this causing problem?
BTW, I am very new to his tool and this is the first transforms, props that I am editing. everything else is brand new , i.e, no meddling.
Update after solving DELIMS issue
After I solved the \par mystery, tried again to see that my field extractions are not showing up again. Used test source and here is what I get:
C:\Program Files\Splunk\bin>splunk test sourcetype "C:\Documents and Settings\Sample\trial.csv"
Using logging configuration at C:\Program Files\Splunk\etc\log-cmdline.cfg.
INFO FileClassifierManager - AutoHeader: delim=',', score=1.000, count=17, mode
=8.000, filename="trial.csv"
INFO FileClassifierManager - AutoHeader: filename="trial.csv", found headerline
=[MINOR,56789,/aaa-bbb-bbb/tv-daop/Rkhkjkj #2/Shelf #2/jjj #1, FAIL, , 2010-06-24 21:57:46,2010-06-24 21:59:23,0 00:01:37,N/A]
INFO FileClassifierManager - AutoHeader: skipped saving. found exact transforms
.conf entry, stanza_name="REPORT-AutoHeader" linked in props="csv-3", filename="
trial.csv"
INFO FileClassifierManager - AutoHeader: changing sourcetype from="csv" to="csv
-3" for filename="trial.csv"
PROPERTIES OF C:\Documents and Settings\Sample\trial.csv
Attr:BREAK_ONLY_BEFORE
Attr:BREAK_ONLY_BEFORE_DATE True
Attr:CHARSET AUTO
Attr:CHECK_FOR_HEADER true
Attr:DATETIME_CONFIG \etc\datetime.xml
Attr:KV_MODE none
Attr:LEARN_SOURCETYPE true
Attr:MAX_DAYS_AGO 2000
Attr:MAX_DAYS_HENCE 2
Attr:MAX_DIFF_SECS_AGO 3600
Attr:MAX_DIFF_SECS_HENCE 604800
Attr:MAX_EVENTS 256
Attr:MAX_TIMESTAMP_LOOKAHEAD 128
Attr:MUST_BREAK_AFTER
Attr:MUST_NOT_BREAK_AFTER
Attr:MUST_NOT_BREAK_BEFORE
Attr:REPORT-AutoHeader AutoHeader-2
Attr:SEGMENTATION indexing
Attr:SEGMENTATION-all full
Attr:SEGMENTATION-inner inner
Attr:SEGMENTATION-outer outer
Attr:SEGMENTATION-raw none
Attr:SEGMENTATION-standard standard
Attr:SHOULD_LINEMERGE False
Attr:TRANSFORMS
Attr:TRUNCATE 10000
Attr:is_valid True
Attr:maxDist 100
Attr:pulldown_type true
Attr:sourcetype csv-3
... View more