Sample Data:
FILED1|FIELD2|FIELD3|FIELD4
INDIA|AGRICULTURE|HELLO|200
AMERICA|FOOD|HELLO |404
CHINA|PEOPLE|HI|402
NEPAL|COLTHS|HI|411
Output should have only have only field FIELD2 & FIELD3 data.
Inputs.conf
[monitor://C:\testauths*.txt]
index=main
sourcetype=mytestdata
props.conf
[mytestdata]
CHARSET=AUTO
DATETIME_CONFIG=CURRENT
INDEXED_EXTRACTIONS=csv
SHOULD_LINEMERGE=false
disabled=false
pulldown_type=true
FIELD_DELIMITER=|
HEADER_FIELD_LINE_NUMBER=0
REPORT-fields = getLogData
transforms.conf
[getLogData]
DELIMS = "|"
FIELDS= "",FIELD2,FIELD3,""
I am sure somewhere i am making mistake.
Hi @umeshagarwal008
You can use field transformations in props, TRANSFORMS-q=nq
then in transforms.conf
[nq]
REGEX=CHINA.* | NEPAL.*
FORMAT=queue
DEST_KEY=nullQueue
hope this helps..
Regards,
Pramodh
Here's some things that I'd try, one at a time -
A) change to INDEXED_EXTRACTIONS=psv.
(This may not help but should not hurt.)
B) change namespace from REPORT-fields to REPORT-search or REPORT-yourappname.
(This is my best guess of the real issue.)
C) remove pulldown_type clause
(In the admin manual, it says # NOT YOURS. DO NOT SET.)
D) remove disabled clause
(I don't find it in the admin manual for that stanza.)
Tried with the above changes but now I am not getting any data indexed.
which change caused the data to stop indexing?
After restarting splunk all data are getting indexed rather than the two fields.
Do you want them indexed, or extracted at search time?
I want to them to be indexed.