Getting Data In

DELIM based fields not showing up in Web manager or search

imawsog
New Member

Hi, I have the following in my environment. But fields are not visible in "Manager » Fields » Field extractions/Field transformations". Search ( StartTime="0216.15:54:*") returns 0 matched records. What I am not doing right ?

transform.conf:

[xxx_fields]
DELIMS=";, "
FIELDS = "Node", "StartTime", "EndTime"

prop.conf:

[xxx]
REPORT-xxx_fields = xxx_fields
KV_MODE = none
NO_BINARY_CHECK = false
SHOULD_LINEMERGE = false
pulldown_type = 1

My log file entries look like the following.

NODE1 0216.15:54:04.588 0216.15:54:04.588
NODE1 0216.15:54:01.634 0216.15:54:01.634

0 Karma
1 Solution

Lamar
Splunk Employee
Splunk Employee

Yeah, based on your data your DELIMS should be set to this:

transforms.conf

[xxx_fields]
DELIMS = " "
FIELDS = Node, StartTime, EndTime

View solution in original post

0 Karma

vsingla1
Communicator

I am having the same exact issue.

transforms.conf
[props1_props_tr]
DELIMS = ","
FIELDS = field_1,field_2, field_3,field_4

props.conf
[props1_props_props2]
REPORT-props1_props = props1_props_tr

both the props.conf and transforms.conf reside in apps/search/local/
I have selected "ALL" but the transforms does not show up in the "Field transformation" page on splunk web.
We have a search head cluster implementation. Could this behavior be due to cluster?
The permissions on my props --> props1_props_props2 is "Global", if that helps.
Is there a solution to this?

0 Karma

Lamar
Splunk Employee
Splunk Employee

Yeah, based on your data your DELIMS should be set to this:

transforms.conf

[xxx_fields]
DELIMS = " "
FIELDS = Node, StartTime, EndTime

0 Karma

imawsog
New Member

Looked into jobs->inspect. I thoguht the following looks interesting. Also I do not see any of the fields I defined in transform.conf.

litsearch sourcetype=xxx StartTime="0216*" | fields keepcolorder=t "_raw" "_time" "host" "index" "linecount" "source" "sourcetype" "splunk_server"

I think a sample DELIM file with corresponding props.conf, transform.com and the index step would make life of the beginner easier.

0 Karma

kristian_kolb
Ultra Champion

No need to re-index - all of this takes place at search time.

Have you looked at the Job Inspector? Click on "Jobs" in the top right corner, find the search you ran and click "inspect".

Other than that, you could/should install Splunk on Splunk (S.o.S), which is great for finding strange errors in your installation. It also requires Sideview Utils. Both are available for free on http://splunk-base.splunk.com/apps

/k

0 Karma

imawsog
New Member

The sourcetype and transform stanza names contain only letters and underscores. That should work right ? You are right about the DELIM. Do I need to reindex , if so what is the best way ? Is there log (no pun intended) etc that I can look into to see what is happening during search.

0 Karma

kristian_kolb
Ultra Champion

Does your sourcetype name (xxx) or transforms stanza name (xxx_fields) contain hyphens (minus/dash/-)? That could surely prevent them from working correctly.

BTW, based on your sample events, your DELIMS could probably be just;

DELIMS = " "

/k

0 Karma

imawsog
New Member

Yes, I have checked all those and nothing shows up even when "all" is selected. The *.conf files are in etc\system\local if that makes a difference.

0 Karma

kristian_kolb
Ultra Champion

Have you checked that you are in the correct app/owner context in manager? (the 2 dropdown menus on the top of the page).

If you select "All" and "Any" respecively, it should be listed as;
xxx: REPORT-xxx_fields

/K

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...