Hi,
I'm running my environment with one main indexer and one search head. I have an index on the main indexer where each event is a space delimited line. In my etc/system/local/transforms.conf on the search head I have this set:
[csv_extract]
DELIMS = " "
FIELDS = "src_ip", "dest_ip", "request"
I then want to take the values for the field named "request" and break those up into parts. So I wrote this stanza in transforms.conf:
[protocol_extract]
REGEX = ^(\w*)://
SOURCE_KEY = request
FORMAT = proto::$1
Both stanzas are added to the search head's etc/system/local/props.conf as:
[weblogs]
KV_MODE = none
REPORT-csv_extract = csv_extract
REPORT-protocol_extract = protocol_extract
When I restart Splunk and perform a search over that data the fields extracted by the [csv_extract] work fine, but the [protocol_extract] doesn't work. When I run the search adding | extract reload=T all fields show up, including the [protocol_extract]. Then I drop the | extract reload=T and run the search again. This time the [protocol_extract] field disappears again! Any subsequent restart of Splunk performs the same way....
I'm running 4.1.2 on my main indexer and the search head.
Any ideas on what I'm doing wrong???
