Solved: Splunk dont show fields after parsed. why?

shayhk · ‎11-26-2013

Sample Log File

2013-10-31|2013-10-31 00:00:00|serv1|ws1|Mozilla|p1=1,p2=2,p3=3|hash1||method1|id||2.01

2013-11-01|2013-10-31 00:00:00|serv1|ws2|Chrome|p1=55,p2=432,p3=3|hash2||method2|id||3.31

2013-10-03|2013-10-31 00:00:00|serv1|ws3|Explorer|p1=34,p2=434434,p3=555555|hash3||method3|id||4.41

Question

The log fields are fixed and there is adlimiter '|' between them

I want that the splunk automaticlly parse data rows into fileds
I add the prop.conf these attributes

DELIMS = "|"

Why dont I see those fields on the Selected/Interesting Fields list?
what am i missing?

lukejadamec · ‎11-26-2013

The DELIMS and FIELDS belong in transforms.conf not props.conf. Also, in FIELDS remove the quotes and delimiters - use a space separated list of fields.

FIELDS = date datetime service ws browser params gui empty method id status ver

You will need an entry in props.conf to point the source or sourcetype to the transform stanza like this:

props.conf

[yoursourcetype]
REPORT-yourfieldlist = fieldlist

transforms.conf

[fieldlist]
DELIMS = "|"

FIELDS = date datetime service ws browser params gui empty method id status ver

View solution in original post

lukejadamec · ‎11-26-2013

The DELIMS and FIELDS belong in transforms.conf not props.conf. Also, in FIELDS remove the quotes and delimiters - use a space separated list of fields.

FIELDS = date datetime service ws browser params gui empty method id status ver

You will need an entry in props.conf to point the source or sourcetype to the transform stanza like this:

props.conf

[yoursourcetype]
REPORT-yourfieldlist = fieldlist

transforms.conf

[fieldlist]
DELIMS = "|"

FIELDS = date datetime service ws browser params gui empty method id status ver

shayhk · ‎11-27-2013

FIELDS = date datetime service ws browser params gui empty method id status ver
or

????

shayhk · ‎11-27-2013

it's not working.
i changed the props.conf + transforms.conf
and restarted the splunk service.

_d_ · ‎11-26-2013

Those attributes belong in a transforms.conf instead.

props.conf [my_sourcetype] REPORT-my_fields = my_fields

transforms.conf [my_fields] DELIMS = "|" FIELDS = "date","datetime","service","ws","browser","params","gui","empty","method","id","status","ver"

EDIT: You need commas between field names.

shayhk · ‎11-27-2013

I did all these thing and still, the fileds i asked for are are not showen in the selected\Interesting fields bar.

lukejadamec · ‎11-26-2013

Don't forget to restart splunkd when you're done with the file.

_d_ · ‎11-26-2013

Yes, as long as the REPORT-xxx in props.conf references the stanza name in transforms.conf.

shayhk · ‎11-26-2013

all i need to do is to create the file and define it like you did?

lukejadamec · ‎11-26-2013

You can't.
You need to create the file on the indexer at:
splunk\etc\system\local\transforms.conf

shayhk · ‎11-26-2013

i dont have a transforms.conf file.
only props.conf.
how can i do it from the SplunkWeb Gui?
thanks

Splunk dont show fields after parsed. why?

Sample Log File

Question

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life

Introducing Splunk Enterprise 9.2