2013-10-31|2013-10-31 00:00:00|serv1|ws1|Mozilla|p1=1,p2=2,p3=3|hash1||method1|id||2.01
2013-11-01|2013-10-31 00:00:00|serv1|ws2|Chrome|p1=55,p2=432,p3=3|hash2||method2|id||3.31
2013-10-03|2013-10-31 00:00:00|serv1|ws3|Explorer|p1=34,p2=434434,p3=555555|hash3||method3|id||4.41
The log fields are fixed and there is adlimiter '|' between them
I want that the splunk automaticlly parse data rows into fileds
I add the prop.conf these attributes
DELIMS = "|"
FIELDS = "date"|"datetime"|"service"|"ws"|"browser"|"params"|"gui"|"empty"|"method"|"id"|"status"|"ver"
Why dont I see those fields on the Selected/Interesting Fields list?
what am i missing?
The DELIMS and FIELDS belong in transforms.conf not props.conf. Also, in FIELDS remove the quotes and delimiters - use a space separated list of fields.
FIELDS = date datetime service ws browser params gui empty method id status ver
You will need an entry in props.conf to point the source or sourcetype to the transform stanza like this:
props.conf
[yoursourcetype]
REPORT-yourfieldlist = fieldlist
transforms.conf
[fieldlist]
DELIMS = "|"
FIELDS = date datetime service ws browser params gui empty method id status ver
The DELIMS and FIELDS belong in transforms.conf not props.conf. Also, in FIELDS remove the quotes and delimiters - use a space separated list of fields.
FIELDS = date datetime service ws browser params gui empty method id status ver
You will need an entry in props.conf to point the source or sourcetype to the transform stanza like this:
props.conf
[yoursourcetype]
REPORT-yourfieldlist = fieldlist
transforms.conf
[fieldlist]
DELIMS = "|"
FIELDS = date datetime service ws browser params gui empty method id status ver
FIELDS = date datetime service ws browser params gui empty method id status ver
or
FIELDS = "date"|"datetime"|"service"|"ws"|"browser"|"params"|"gui"|"empty"|"method"|"id"|"status"|"ver"
????
it's not working.
i changed the props.conf + transforms.conf
and restarted the splunk service.
Those attributes belong in a transforms.conf instead.
props.conf
[my_sourcetype]
REPORT-my_fields = my_fields
transforms.conf
[my_fields]
DELIMS = "|"
FIELDS = "date","datetime","service","ws","browser","params","gui","empty","method","id","status","ver"
EDIT: You need commas between field names.
I did all these thing and still, the fileds i asked for are are not showen in the selected\Interesting fields bar.
Don't forget to restart splunkd when you're done with the file.
Yes, as long as the REPORT-xxx in props.conf references the stanza name in transforms.conf.
all i need to do is to create the file and define it like you did?
You can't.
You need to create the file on the indexer at:
splunk\etc\system\local\transforms.conf
i dont have a transforms.conf file.
only props.conf.
how can i do it from the SplunkWeb Gui?
thanks