Hi,
thank you for your help but it seems not working.
I show you what i did, maybe something is wrong
In /opt/splunk/etc/apps/dbx/default/transforms.conf I added these lines
[ethconnector_rule]
SOURCE_KEY = PARAMS
DELIMS = "|"
FIELDS = PARAMS_FIELD1,PARAMS_FIELD2,PARAMS_FIELD3,PARAMS_FIELD4,PARAMS_FIELD5,PARAMS_FIELD6,PARAMS_FIELD7,PARAMS_FIELD8,PARAMS_FIELD9,PARAMS_FIELD10,PARAMS_FIELD11,PARAMS_FIELD12,PARAMS_FIELD13
In /opt/splunk/etc/apps/dbx/default/props.conf I added these lines (buonopasto is my database-input sourcetype)
[buonopasto]
REPORT-subfields = ethconnector_rule
I restarted splunk but new fields (PARAMS_FIELD1,...., PARAMS_FIELD12,PARAMS_FIELD13) do not appear in splunk search
Last info: PARAMS, as I said before, is pipe separated in subfields, but not always. There is another field that determines how PARAMS is separated.
Example:
if CMD==puttrans then PARAMS=PARAMS_FIELD1|...|PARAMS_FIELD12|PARAMS_FIELD13
if CMD==noop then PARAMS=field1 field2 field3
Maybe can this be the issue?
Thank you again.
Lewix
... View more