Hi guys,
I did the following configuration in props.conf in the splunk:
C:\Program Files\Splunk\etc\system\local
[sctmainframe]
NO_BINARY_CHECK = 1
SHOULD_LINEMERGE = false
pulldown_type = 1
REPORT-myname = mainframe-extract
And in the transforms.conf file too
[mainframe-extract]
EXTRACT = (?<INSTCLI>\d{3})(?<BANCOCLI>\d{3})(?<AGENCLI>\d{4})
The sourcetype "sctmainframe" appear for me as a new sourcetype into the administrator splunk web, but don't work correctly.
What I'm doing of the wrong ?
