Hi,
I have simple tab delimited text file.
1 05:45:12 first message 97
1 05:52:15 second message 110
1 05:52:46 third message 97
1 05:53:09 fourth message 110
I want to index it with header definined in transforms.conf
Here are my config files:
**inputs.conf**
[monitor://c:\temp\seho\err\]
disabled = false
index = seho_err_tmp
sourcetype = tsv_WINDOWS-1252
crcSalt=
**props.conf**
[tsv_WINDOWS-1252]
BREAK_ONLY_BEFORE_DATE =
CHARSET = WINDOWS-1252
INDEXED_EXTRACTIONS = tsv
KV_MODE = none
LINE_BREAKER = ([\r\n]+)
NO_BINARY_CHECK = true
SHOULD_LINEMERGE = false
category = Structured
description = Tab-separated value format. Set header and other settings in "Delimited Settings"
disabled = false
pulldown_type = 1
REPORT-getfields=seho_err_fields
transforms.conf
[seho_err_fields]
DELIMS=":\t"
FIELDS=Fehler,Zeit,Fehlermeldungtext,Fehlernummer
I tried also \t, "\t".
The defined fields never appear in Splunk and the first row from the file is defined as a header by default. Can anybody help me, please?
↧