I am attempting to have splunk forward a script of comma separated values. The values are coming into search as one large string, rather than separated by commas with their field label. Could anyone look this over and see what I am doing wrong?
transforms.conf
[group_fields]
DELIMS=","
FIELDS = Record_Date,filesystem1,filesystem12,filesystem3,filesystem4,filesystem5,filesystem6,filesystem7
props.conf
[forecast]
SHOULD_LINEMERGE = False
pulldown_type = 1
REPORT-getfields = group_fields
inputs.conf
[script://./bin/forecast.sh]
interval = 83400
source = forecast
sourcetype = forecast
In the splunk search, it's showing up like this. It is not creating comma delimited fields, just one raw field of all the data
TIMESTAMP RAW
6/13/17
8:04:08.000 AM 06-08-17,424,159,1067,606,7,1,1
The script outputs the data as below.
11/27/2016,289,159,866,1221,7,1,1
11/28/2016,289,159,866,1221,7,1,1
11/29/2016,289,159,813,1258,7,1,1
11/30/2016,289,159,812,1338,7,1,1
12/4/2016,304,159,828,1321,7,1,1
12/5/2016,304,159,828,1321,7,1,1
12/6/2016,295,159,830,1327,7,1,1
... View more