I am running into an issue with my transforms and props config files, my data is being logged properly to my index but when I set my fields in the transforms.conf it only takes everyother fieldname. Below are my transforms.conf stanza with the work-around I have implemented and my props.conf, clearly this is a bad method and i am trying to figure out why splunk would be taking everyother fieldname
transforms.conf
[mySourcetype]
DELIMS = ", "
FIELDS = "timestamp", "", "levelname", "", "someid", "", "somecode", "", "someothercode", "", "someotherid"
That empty double bracket is the only way for my logs to be formatted properly.
props.conf
[mySourcetype]
TRUNCATE = 0
MAX_EVENTS = 10000
MAX_TIMESTAMP_LOOKAHEAD = 60
SHOULD_LINEMERGE = false
TIME_FORMAT = %Y-%m-%d %H:%M:%S
REPORT-mySourcetype = mySourcetype
BREAK_ONLY_BEFORE = TIMESTAMP
KV_MODE = auto
given_type = csv