- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: No results showing up in search after adding s...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
No results showing up in search after adding source
Hi,
Following is my input. It is a set of tab delimited files. Here is a sample. I made updates to props.conf and transforms.conf. I have included the sections for it below.
When I go to the Search app - no data showing up in the data summary. I get a message saying "Waiting for data"
30cb85e3-a3e5-46f9-89e6-3fc0ff9ea70c 3bf80a12-74f8-d104-1d0d-7a05bd517eb4 San Jose \N 4.0 \N \N \N 4.0 \N \N \N 7.999561309814453 1.57784907023112 6.421712239583333 80.2758050207666 7.999561309814453 \N \N \N 2013-10-26 00:00:00 2013-10-26 00:59:59
I did local updates to props.conf and transforms.conf. here are the updates to it.
PROPS.CONF
[ComputeUtilization2]
NO_BINARY_CHECK = 1
SHOULD_LINEMERGE = false
TIME_FORMAT = %M-%D-%Y %H:%M:%S
TIME_PREFIX = ^([^\t]*\t){20}
pulldown_type = 1
REPORT = getcsvfields
TRANSFORMS.CONF
[getcsvfields]
DELIMS = "\t"
FIELDS = tenant,MGId,HostGroup,TotalVMsPerHG,TotalpCoreForHG,UsedpCoreForHG,FreepCoreForHG,CoreAvailabilityPercentForHG,AvgTotalCoresPerHost,vCoresPerVMForHG,vCoreTopCoreRatio,FreevCoresForHG,TotalpMemInGBForHG,UsedpMemInGBForHG,FreepMemInGBForHG,MemAvailabilityPercentForHG,AvgTotalMemoryPerHost,vMemPerVMForHG,vMemTopMemRatio,FreevMemForHG,BucketStartTime,BucketEndTime
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
PROPS.CONF
[ComputeUtilization2]
NO_BINARY_CHECK = 1
SHOULD_LINEMERGE = false
TIME_FORMAT = %M-%D-%Y %H:%M:%S
TIME_PREFIX = ^([\w\-\.]+\s+){21}
pulldown_type = 1
REPORT = getcsvfields
TRANSFORMS.CONF
[getcsvfields]
DELIMS = "\t"
FIELDS = tenant, MGId, HostGroup, TotalVMsPerHG, TotalpCoreForHG, UsedpCoreForHG, FreepCoreForHG, CoreAvailabilityPercentForHG, AvgTotalCoresPerHost, vCoresPerVMForHG, vCoreTopCoreRatio, FreevCoresForHG, TotalpMemInGBForHG, UsedpMemInGBForHG, FreepMemInGBForHG, MemAvailabilityPercentForHG, AvgTotalMemoryPerHost, vMemPerVMForHG, vMemTopMemRatio, FreevMemForHG, BucketStartTime, BucketEndTime
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
go to the search bar and pipe your main search to | extract getcsvfields
Does that extract the fields correctly?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
btw, here's what i am doing to update the configs. i am updating the files in the following location.
C:\Program Files\Splunk\etc\system\local
then going to splunk UI and restarting the server.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi, I tried the above updates. But am still having the same issue. Is there any additional information that I can send.
Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!
They're back! Join the SplunkTrust and MVP at .conf24
Enterprise Security Content Update (ESCU) | New Releases
