Hello
I have a field transform setup that doesn't seem to be working:
**transforms.conf**
[coldfusionapplication]
DELIMS = ","
FIELDS = "status","message_id","message_delivered_date","message_delivered_time","service","payload"
**props.conf**
[cfj:applog]
REPORT-cfjapplog = coldfusionapplication
EVAL-app= "Coldfusion"
DATETIME_CONFIG = CURRENT
LINE_BREAKER = ([\r\n]+)
SHOULD_LINEMERGE = false
I have this setup on my Search Head Cluster but I'm not seeing the fields from the DELIMS. I DO however see the calculated field "app" from `EVAL-app= "Coldfusion"` so I know at least PART of this is working.
**Fields Available**
host
source
sourcetype
FileContent
StatusCode
app
app_pool
datacenter
date_hour
date_mday
date_minute
date_month
date_second
date_wday
date_year
date_zone
environ
eventtype
fieldList
hidden
index
linecount
locale
name
punct
qa_env
rows
sourceId
splunk_server
status
tag
tag::eventtype
target_host
timeendpos
timestartpos
units
are all the available fields.
Any ideas on what I'm doing incorrectly?
Thanks for the help!
↧