Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Impossible to define fields in transforms.conf.

spisiakmi
Communicator
‎09-24-2019 06:01 AM

Hi,

I have simple tab delimited text file.

1 05:45:12 first message 97
1 05:52:15 second message 110
1 05:52:46 third message 97
1 05:53:09 fourth message 110

I want to index it with header definined in transforms.conf
Here are my config files:

**inputs.conf**

[monitor://c:\temp\seho\err\]
disabled = false
index = seho_err_tmp
sourcetype = tsv_WINDOWS-1252
crcSalt=

**props.conf**

[tsv_WINDOWS-1252]
BREAK_ONLY_BEFORE_DATE = 
CHARSET = WINDOWS-1252
INDEXED_EXTRACTIONS = tsv
KV_MODE = none
LINE_BREAKER = ([\r\n]+)
NO_BINARY_CHECK = true
SHOULD_LINEMERGE = false
category = Structured
description = Tab-separated value format. Set header and other settings in "Delimited Settings"
disabled = false
pulldown_type = 1
REPORT-getfields=seho_err_fields

transforms.conf

[seho_err_fields]
DELIMS=":\t"
FIELDS=Fehler,Zeit,Fehlermeldungtext,Fehlernummer

I tried also \t, "\t".

The defined fields never appear in Splunk and the first row from the file is defined as a header by default. Can anybody help me, please?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

spisiakmi
Communicator
‎09-25-2019 07:52 AM

I found a solution, which works. Because I have no possibility to restart the Indexer, I created props.conf on UniFW site like this:

props.conf

[tsv_seho_err]
CHARSET = WINDOWS-1252
DATETIME_CONFIG = 
FIELD_DELIMITER = tab
FIELD_NAMES = Fehler, Zeit, Fehlermeldungtext, Fehlernummer
INDEXED_EXTRACTIONS = tsv
LINE_BREAKER = ([\r\n]+)
NO_BINARY_CHECK = true
category = Benutzerdefiniert
description = Tab getrennte Werte ohne Header
pulldown_type = 1

and it works.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

spisiakmi
Communicator
‎09-25-2019 07:52 AM

I found a solution, which works. Because I have no possibility to restart the Indexer, I created props.conf on UniFW site like this:

props.conf

[tsv_seho_err]
CHARSET = WINDOWS-1252
DATETIME_CONFIG = 
FIELD_DELIMITER = tab
FIELD_NAMES = Fehler, Zeit, Fehlermeldungtext, Fehlernummer
INDEXED_EXTRACTIONS = tsv
LINE_BREAKER = ([\r\n]+)
NO_BINARY_CHECK = true
category = Benutzerdefiniert
description = Tab getrennte Werte ohne Header
pulldown_type = 1

and it works.

0 Karma
Reply
Solved! Jump to solution

spisiakmi
Communicator
‎09-25-2019 08:20 AM

And if I want to skip indexing the third column, I can use this syntax
FIELD_NAMES = Fehler, Zeit, , Fehlernummer

0 Karma
Reply
Solved! Jump to solution

adonio
Ultra Champion
‎09-25-2019 08:25 AM

good, as long as it is not "Impossible"

0 Karma
Reply
Solved! Jump to solution

adonio
Ultra Champion
‎09-24-2019 08:52 PM

nothing better then a question with "Impossible" at the headline
here are the steps to accomplish:
your data created in a file tsv_no_header.txt

1 05:45:12 first message 97
1 05:52:15 second message 110
1 05:52:46 third message 97
1 05:53:09 fourth message 110

in props.conf

[tsv_no_header]
SHOULD_LINEMERGE = false
REPORT-no_header = no_header
LINE_BREAKER = ([\r\n]+)

in transforms.conf

[no_header]
DELIMS = " ","\t"
FIELDS = a,b,c,d,e

note: "\t" supposed to be enough, i used both delimiters as i copied to a text file

screenshot:

alt text

dont forget to restart splunk on the first full instance that "touches" the data, HF or Indexer/s

hope it helps

Preview file
1 KB
0 Karma
Reply
Solved! Jump to solution

spisiakmi
Communicator
‎09-25-2019 05:34 AM

Hi Adonio,

i made all the steps, you mentioned, also with the restart of the fw. And unfortunatelly only the first row from the file has been indexed and without the field a and the last value from the first row 97. b=1, c=05:45:12, d=first, e=message.
See the screenshots
https://ibb.co/F4MRJKn
https://ibb.co/5RZjZsH

0 Karma
Reply
Solved! Jump to solution

adonio
Ultra Champion
‎09-25-2019 07:33 AM

@spisiakmi please read my answer all the way
the configurations should be on the first FULL SPLUNK INSTANCE e.g. Heavy Forwarder OR Indexer/s - not a Universal Forwarder
you need to restart that instance after applying configarions

0 Karma
Reply
Solved! Jump to solution

spisiakmi
Communicator
‎09-25-2019 07:50 AM

Thank you. But I have no possibility to restart the Indexer.

0 Karma
Reply
Solved! Jump to solution

spisiakmi
Communicator
‎09-25-2019 04:31 AM

Hi Adonio,

thank you for the reaction. The props.conf and the transforms.conf should be defined on the FW or on the Splunk Server site?

0 Karma
Reply
Solved! Jump to solution

spisiakmi
Communicator
‎09-25-2019 04:36 AM

And if on the Splunk Server (Indexer) site, the Splunk Server should be restarted?

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk APM: New Product Features + Community Office Hours Recap!

Howdy Splunk Community! Over the past few months, we’ve had a lot going on in the world of Splunk Application ...

Index This | Forward, I’m heavy; backward, I’m not. What am I?

April 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

A Guide To Cloud Migration Success

As enterprises’ rapid expansion to the cloud continues, IT leaders are continuously looking for ways to focus ...