DB-Connect - Extract OK, but need some fields tran...

verbal_666 · ‎08-26-2019

Hi guys.
I had a correct DB-Connect connection with a right SELECT with right importing of the table/fields i want.

A problem:

1) raw datas seems to be right, ex,
2019-xx-xx 01:00:00.000, TIPOLOGIA="XXXXX", CATEGORIA="XXXXX", HOSTNAME="XXXXX", SISTEMA OPERATIVO="XXXXX"
... timestamp is right, fields are in the raw data...

2) now the problem... i can search the raw data as well, as said, but Splunk Enterprise 7.0.0, index time, create wrong fields... when found a [SPACE] in field.name ......... so "SISTEMA OPERATIVO" becomes "OPERATIVO", in field cut "SISTEMA[space]".......

3) solution #1: transform field in select " select 'SISTEMA OPERATIVO' as ''SISTEMA_OPERATIVO' ........... "; ok, but i have many fields with this absurd develop (developers should be whipped!!!)

4) solution #2: i can certainly act in indexing time with props/transforms, right? May i use "CLEAN_KEYS" in transforms, with precedente REPORT- in props to do the "trick"? Or something similar?

Thanks.

verbal_666 · ‎08-26-2019

Addon: i also used the "trick" here,

https://answers.splunk.com/answers/417403/how-to-extract-fields-from-splunk-db-connect-2-dat.html

.... and i got it, works search-side, _raw-side.... remain the problem index-side, fields are saved/indexed with wrong field.name.

DB-Connect - Extract OK, but need some fields transform [remove spaces]

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

.conf24 | Personalize your .conf experience with Learning Paths!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...