I have a app that is deployed on a host that polls a csv file. I can get data in to the Splunk indexer, but it does not recognize the fields as described in the transforms.conf file located in the apps default directory. Here is what I have.
C:\Program
Files\SplunkUniversalForwarder\etc\apps\vievents\default
inputs.conf
[monitor://E:\Logs\vcenter\vievents.csv]
disabled = false
sourcetype = vievents_csv
props.conf
[vievents_csv]
SHOULD_LINEMERGE = false
TRANSFORMS-vievents = vievents_extractions
transforms.conf
[vievents_extractions]
DELIMS=","
FIELDS="CreatedTime","Key","ChainId","EventType","UserName","Datacenter","ComputeResource","Host","Vm","Ds","Net","Dvs","FullFormattedMessage"
How do I get splunk to recognize the fields? Thanks.
Issue solved. Replaced TRANSFORMS-vievents with REPORT-vievents. Reboot splunkd.
Also needed to rename some field names as they overlap with existing splunk fields: EventType, Host
Issue solved. Replaced TRANSFORMS-vievents with REPORT-vievents. Reboot splunkd.
Also needed to rename some field names as they overlap with existing splunk fields: EventType, Host
well I initially included them in the app directory on the forwarded host, but I also copied them to the indexers system local directory. Rebooted, but no difference.
So, do you have these props.conf / transforms.conf settings on the indexer? Or just the host that the data is read from?
Here you go. I just modified some text for privacy, but otherwise structure is the same. Some of the characters like colons and slashes get stripped.
"4/27/2012 1:37:45 PM","71642","71638","VmMacAssignedEvent","IIGCF\lus3","USLAB1","Management","uslab1esxi05.domain.com","FreeBSD",,,,"New MAC address (00:50:56:99:77:90) assigned to adapter c3 88 19 50 5c f5 fa 1a-51 58 6c b7 84 16 7a 90 for FreeBSD"
Could you post an example row from the raw data?