Hi Splunkers,
I have a sample Perforce log file and I'm trying to extract the code contributors.
Here is an example:
Change 2 on 2010/09/12 by janedoe@machine1 'bla bla bla2'
Change 1 on 2010/09/12 by johndoe@machine2 'ya ya ya1'
This is what I have in transforms.conf:
[grabPerforceCodeContributor]
REGEX = (\S*@\S*)
FORMAT = perforceCodeContributor::"$1"
WRITE_META = true
In the props.conf:
[PerforceCommitLog]
TRANSFORMS-getContributorName = grabPerforceCodeContributor
In the fields.conf:
[perforceCodeContributor]
INDEXED=true
I would like to know why am I seeing
perforceCodeContributor=$1
when I do sourcetype="PerforceCommitLog"
in the search app?
This is the URL of the doc I referred to:
http://www.splunk.com/base/Documentation/latest/Knowledge/Addfieldsatindextime
Help?
PerforceCommitLog is the sourcetype I defined when defining Data Inputs in the Manager.
Let me recommend that you do not use TRANSFORMS
for index time extractions. Use REPORT
(or EXTRACT
) for search time. Remember that Splunk full-text indexes anyway, so in almost every single case, you don't gain anything in performance, and you lose a lot of flexibility. This is going to be true with your data and the fields you index. Therefore either:
props.conf
:
[PerforceCommitLog]
REPORT-getContributorName = getContributorName
transforms.conf
:
[getContributorName]
REGEX = (\S*@\S*)
FORMAT = perforceCodeContributor::$1
or just props.conf
:
[PerforceCommitLog]
EXTRACT-contributorName = (?<perforceCodeContributor>\S*@\S*)
In both cases, you won't need fields.conf.
And for the record, the reason you're seeing the result right now (again, it is much better for you to do search-time extractions)
Let me recommend that you do not use TRANSFORMS
for index time extractions. Use REPORT
(or EXTRACT
) for search time. Remember that Splunk full-text indexes anyway, so in almost every single case, you don't gain anything in performance, and you lose a lot of flexibility. This is going to be true with your data and the fields you index. Therefore either:
props.conf
:
[PerforceCommitLog]
REPORT-getContributorName = getContributorName
transforms.conf
:
[getContributorName]
REGEX = (\S*@\S*)
FORMAT = perforceCodeContributor::$1
or just props.conf
:
[PerforceCommitLog]
EXTRACT-contributorName = (?<perforceCodeContributor>\S*@\S*)
In both cases, you won't need fields.conf.
And for the record, the reason you're seeing the result right now (again, it is much better for you to do search-time extractions)
Also, I have these 3 files in this directory:
$SPLUNK_HOME/etc/system/local