Hi, I have the following in my environment. But fields are not visible in "Manager » Fields » Field extractions/Field transformations". Search ( StartTime="0216.15:54:*") returns 0 matched records. What I am not doing right ?
[xxx_fields]
DELIMS=";, "
FIELDS = "Node", "StartTime", "EndTime"
[xxx]
REPORT-xxx_fields = xxx_fields
KV_MODE = none
NO_BINARY_CHECK = false
SHOULD_LINEMERGE = false
pulldown_type = 1
My log file entries look like the following.
NODE1 0216.15:54:04.588 0216.15:54:04.588
NODE1 0216.15:54:01.634 0216.15:54:01.634
Yeah, based on your data your DELIMS should be set to this:
transforms.conf
[xxx_fields]
DELIMS = " "
FIELDS = Node, StartTime, EndTime
I am having the same exact issue.
transforms.conf
[props1_props_tr]
DELIMS = ","
FIELDS = field_1,field_2, field_3,field_4
props.conf
[props1_props_props2]
REPORT-props1_props = props1_props_tr
both the props.conf and transforms.conf reside in apps/search/local/
I have selected "ALL" but the transforms does not show up in the "Field transformation" page on splunk web.
We have a search head cluster implementation. Could this behavior be due to cluster?
The permissions on my props --> props1_props_props2 is "Global", if that helps.
Is there a solution to this?
Yeah, based on your data your DELIMS should be set to this:
transforms.conf
[xxx_fields]
DELIMS = " "
FIELDS = Node, StartTime, EndTime
Looked into jobs->inspect. I thoguht the following looks interesting. Also I do not see any of the fields I defined in transform.conf.
litsearch sourcetype=xxx StartTime="0216*" | fields keepcolorder=t "_raw" "_time" "host" "index" "linecount" "source" "sourcetype" "splunk_server"
I think a sample DELIM file with corresponding props.conf, transform.com and the index step would make life of the beginner easier.
No need to re-index - all of this takes place at search time.
Have you looked at the Job Inspector? Click on "Jobs" in the top right corner, find the search you ran and click "inspect".
Other than that, you could/should install Splunk on Splunk (S.o.S), which is great for finding strange errors in your installation. It also requires Sideview Utils. Both are available for free on http://splunk-base.splunk.com/apps
/k
The sourcetype and transform stanza names contain only letters and underscores. That should work right ? You are right about the DELIM. Do I need to reindex , if so what is the best way ? Is there log (no pun intended) etc that I can look into to see what is happening during search.
Does your sourcetype name (xxx) or transforms stanza name (xxx_fields) contain hyphens (minus/dash/-)? That could surely prevent them from working correctly.
BTW, based on your sample events, your DELIMS could probably be just;
DELIMS = " "
/k
Yes, I have checked all those and nothing shows up even when "all" is selected. The *.conf files are in etc\system\local if that makes a difference.
Have you checked that you are in the correct app/owner context in manager? (the 2 dropdown menus on the top of the page).
If you select "All" and "Any" respecively, it should be listed as;
xxx: REPORT-xxx_fields
/K