- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Re: Transforms.conf to props.conf?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Transforms.conf to props.conf?
I created a new app named sample_app_1. Inside my new app's local folder i created a transforms.conf that will be called to my props.conf. However, my configurations in both file didnt work properly. What seems to be the problem?
Below is my config:
props.conf
[sample_logs_12]
DATETIME_CONFIG =
NO_BINARY_CHECK = true
category = Custom
pulldown_type = true
REPORT-delimiter = sample_trans
transforms.conf
[sample_trans]
DELIMS = "\r\n", ":"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You have stored the props.conf/transforms.conf under <sample_app_1>/default or <sample_app_1>/local?
these are the search paths of splunk where to look for these files.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi patricianaguit,
at first, you're speaking of ingestion of a csv file or a field extraction at search time?
the method you're using is only to extract fields at search time, to ingest a csv file you have to follow a different approach (see at http://docs.splunk.com/Documentation/Splunk/7.0.2/Data/Extractfieldsfromfileswithstructureddata ).
Anyway, to extract fields at search time you have to create a props.conf like the one you used and a transforms.conf adding the following row with the list of your fields
FIELDS = <quoted string list>
as you can see at https://docs.splunk.com/Documentation/Splunk/7.0.2/Admin/Transformsconf
After, you can verify the way to deploy props and transforms to your
Bye.
Giuseppe
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Are you deploying this on a single instance deployment? If not, on what type of splunk instance did you deploy this in you distributed environment?
What does the respective inputs.conf look like, what does the data look like and what does "didn't work properly" mean? Did you get some results but incorrect, or no extractions at all?
Regarding the props.conf: why do you have that empty DATETIME_CONFIG setting in there, maybe that breaks things?
Does splunkd.log on this instance report any issues after restarting? (did you even restart after deploying this app?)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I was trying to extract fields using "DELIMS". And no fields were extracted
Below is the example log:
Start time: 20171108163003
Username: admin_sample
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
have you tried
transforms.conf
[sample_trans]
DELIMS = "\r\n", ":"
FIELDS = field1 , field2
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
provide some sample logs and tell us what you are trying to achieve?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I was trying to extract fields using "DELIMS".
Below is the example log:
Start time: 20171108163003
Username: admin_sample
Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!
They're back! Join the SplunkTrust and MVP at .conf24
Enterprise Security Content Update (ESCU) | New Releases
