Hi all,
I'm in enviroment so configured:
1 uf, 1 hf, 4 indexers, 1 search head, 1 master cluster.
I've to index a large CSV, read from the universal forwarder, which forwards data to the HF which pass the data to the indexer.
The CSV has 150 fields and I want to index only 10 of these. So I've configured these things:
on **universal forwarder**:
#------------------#
inputs.conf
#------------------#
[monitor:///myfolder/Interface*]
disabled = 0
index = interface_metrics
sourcetype = if_csv
on **heavy forwarder**
#------------------#
inputs.conf
#------------------#
[splunktcp://9996]
index=interface_metrics
sourcetype = if_csv
#------------------#
props.conf
#------------------#
[if_csv]
INDEXED_EXTRACTIONS = CSV
HEADER_FIELD_LINE_NUMBER=1
HEADER_FIELD_DELIMITER =,
FIELD_DELIMITER=,
HEADER_FIELD_LINE_NUMBER = 0
TRANSFORMS-set=setnull, setparsing, nullhead
#------------------#
transforms.conf
#------------------#
[setnull]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue
[nullhead]
REGEX = ifInDiscardsDelta
DEST_KEY = queue
FORMAT = nullQueue
[setparsing]
REGEX = ^([^,]*),([^,]*),(?:[^,]+,\s*)([^,]*),([^,]*)(?:[^,]+,\s*){5}([^,]*),([^,]*)(?:[^,]+,\s*){3}([^,]*),([^,]*),(?:[^,]+,\s*){2}([^,]*),([^,]*)(?:[^,]+,\s*){7}([^,]*)(?:(?:[^,]+,?\s*)|(?:[,,])){123}([^,]*),([^,]*)
DEST_KEY = queue
FORMAT = indexQueue
**example CSV row :**
0ef1fa5f-586c-48a4-a902-827aef967f47,1569309580446,300.0,100,9,0,0,0,0,6.6107712E7,5.0463189E7,151356.0,150857.0,0.176,0.135,0.0,0.0,0.0,0.0,0,0,0,0,0,0,4b16e13e-c391-4626-b364-2890fe5a009a,0,0,0,0,,,151351,149267,0,0,451,5,1139,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,039550ed-1d39-487f-9b12-276ad9472771,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,3.0,3.0,,,0.056,3.4E-4,0.2,3.0,3.0,,,0.056,3.4E-4,0.2,1569309300000,300
I want to keep the fields:
1,2,4,5,10,11,14,15,26,149,150
I don't succeed in indexing only the fields that I choose, but the whole row.
What I'm wrong ?
Thanks
Fabrizio
↧