Hello all,
I'm a bit stuck with my issue.
I do have this splunk infra :
Sources ==> UF ==> Indexer cluster (3 + master) Search head cluster.
I'm trying to extract fields at index time to transform it in a future.
My props.conf and transfroms.conf are deployed in indexers throught the master.
log line look like :
date="2017-09-08",time="08:08:00",s-ip="8.8.8.8",time-taken="8",c-ip="9.9.9.9",c-port="45687",s-action="TCP_DENIED",cs-user="foobar"
**transforms.conf**
[fieldtestextract]
WRITE_META = true
REGEX=cs-user="([^"]+)
FORMAT=csuser::$1
**props.conf**
[web:access:file]
TRANSFORMS-csuser = fieldtestextract
TZ = utc
SEDCMD-username = s/,cs-user=\"[^\"]+\",/,cs-user="xxxx",/g
The SEDCMD is working like a charm but the tranforms won't work...
**fields.conf** on search heads :
[csuser]
INDEXED = true
INDEXED_VALUE = true
I don't see my field on search head and obsiously i'm not able to execute query against it.
Could you help me figuring out what's wrong with my configuration ?
Many thanks in advance.
↧
