Splunk Search

Having trouble setting up delims-based field extraction, fields are not showing up

natrixia
Explorer

I have a simple script that returns some fields in TSV form that looks like this:

Date\tJobName\tCounterName\tValue 

for example:

Apr 14 13:00:00 2011    AlignmentMetrics    SpliCounter 0

I want the splunk indexing/search to pick up these fields (i.e. date, job, counter, value) so I added this to splunk/etc/system/local/props.conf:

[imd-log]
TRANSFORMS = imd-header-fields

And I added this to splunk/etc/system/local/transforms.conf:

[imd-header-fields]
DELIMS = "\t"
FIELDS = "date","job","counter","value"

I then restarted splunk, went to manager/data-inputs remove the job, and added it again with sourcetype=imd-logs. Trouble is in the search app I don't see any of the new fields anywhere. What am I doing wrong?

Tags (1)
1 Solution

David
Splunk Employee
Splunk Employee

Porting my answer to the new splunk-base:

I believe what you want in your props.conf is:

[imd-log]
REPORT-PullTSVFields = imd-header-fields

You also stated sourcetype=imd-logs whereas you have imd-log in the header. You'll need to make sure that the stanza header in props.conf matches your sourcetype exactly.

In the old answers site, you followed-up with:

Thank for the reply. Also, is there a way for splunk to replace it's internal date (i.e. the ones that shows up in the 'search' app) with the date specified by 'logdate'?)

Splunk should automatically pick that up. What are you seeing as the time when you do a search?

View solution in original post

David
Splunk Employee
Splunk Employee

Porting my answer to the new splunk-base:

I believe what you want in your props.conf is:

[imd-log]
REPORT-PullTSVFields = imd-header-fields

You also stated sourcetype=imd-logs whereas you have imd-log in the header. You'll need to make sure that the stanza header in props.conf matches your sourcetype exactly.

In the old answers site, you followed-up with:

Thank for the reply. Also, is there a way for splunk to replace it's internal date (i.e. the ones that shows up in the 'search' app) with the date specified by 'logdate'?)

Splunk should automatically pick that up. What are you seeing as the time when you do a search?

Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...