Hi guys,
I did the following configuration in props.conf in the splunk:
C:\Program Files\Splunk\etc\system\local
[sctmainframe]
NO_BINARY_CHECK = 1
SHOULD_LINEMERGE = false
pulldown_type = 1
REPORT-myname = mainframe-extract
And in the transforms.conf file too
[mainframe-extract]
EXTRACT = (?<INSTCLI>\d{3})(?<BANCOCLI>\d{3})(?<AGENCLI>\d{4})
The sourcetype "sctmainframe" appear for me as a new sourcetype into the administrator splunk web, but don't work correctly.
What I'm doing of the wrong ?
In your transforms.conf you need REGEX, not EXTRACT:
[mainframe-extract]
REGEX = (?<INSTCLI>\d{3})(?<BANCOCLI>\d{3})(?<AGENCLI>\d{4})
In your transforms.conf you need REGEX, not EXTRACT:
[mainframe-extract]
REGEX = (?<INSTCLI>\d{3})(?<BANCOCLI>\d{3})(?<AGENCLI>\d{4})
Good Spotting! Missed that one.
Thanks jacobwilkins, worked fine.
In addition to your configs, you should perhaps post a few sample events, the results you get, and an idea of the results you want to achieve. Otherwise it will be very hard for anybody to try to help you.
/k