I'm logging from a program called pega, which spits out some lengthy logs. I found the field names, and attempted to assign the names to the fields, but am having problems doing so. Below is an output of what's being applied at index:
props.conf
splunk@atlitpsplnk1:/opt/splunk_ind/bin> ./splunk cmd btool transforms list --debug | grep -A 10 uat:pegarules_alert
/opt/splunk_ind/etc/system/local/transforms.conf [apollo:uat:pegarules_alert_fields]
/opt/splunk_ind/etc/system/default/transforms.conf CAN_OPTIMIZE = True
/opt/splunk_ind/etc/system/default/transforms.conf CLEAN_KEYS = True
/opt/splunk_ind/etc/system/default/transforms.conf DEFAULT_VALUE =
/opt/splunk_ind/etc/system/local/transforms.conf DELIMS = "*"
/opt/splunk_ind/etc/system/default/transforms.conf DEST_KEY =
/opt/splunk_ind/etc/system/local/transforms.conf FIELDS = "generatedDateTime","version","msgID","kpiThreshold","serverID","requestorID","userID","workPool","ruleAppNameVersion","encodeRulesetList","allowsRuleCheckOut","interaction","threadName","pegaThreadName","loggerName","stack","lastInput","firstActivity","traceList","palData","primaryPageClass","primaryPageName","stepPageClass","stepPageName","pegaStack","parameterPage","line"
/opt/splunk_ind/etc/system/default/transforms.conf FORMAT =
/opt/splunk_ind/etc/system/default/transforms.conf KEEP_EMPTY_VALS = False
/opt/splunk_ind/etc/system/default/transforms.conf LOOKAHEAD = 4096
/opt/splunk_ind/etc/system/default/transforms.conf MV_ADD = False
transforms.conf
splunk@atlitpsplnk1:/opt/splunk_ind/bin> ./splunk cmd btool props list --debug | grep uat:pegarules_alert
/opt/splunk_ind/etc/apps/props_pega/default/props.conf [XXXXXX:uat:pegarules_alert]
/opt/splunk_ind/etc/system/local/props.conf REPORT-getfields = XXXXXX:uat:pegarules_alert_fields
And when I search in splunk for that sourcetype, the only fields are index, linecount & splunk_server. I guess I broke it, but what's wrong here? Thanks.
↧