https://community.splunk.com/t5/Getting-Data-In/TCP-input-tcp-raw-not-splitting-rows-by-newline/m-p/76056#M15537 <P>Here is a screenshot of the data if that clears things up.</P> <P><A href="http://i56.tinypic.com/xmmyh1.gif">http://i56.tinypic.com/xmmyh1.gif</A></P> Thu, 15 Sep 2011 23:37:23 GMT phoenixdigital 2011-09-15T23:37:23Z https://community.splunk.com/t5/Getting-Data-In/TCP-input-tcp-raw-not-splitting-rows-by-newline/m-p/76055#M15536 <P>Hi All,</P> <P>I have written a python HTTP downloader which is pulling down multiple zip files and extracting the contents then feeding them to a TCP port on Splunk.</P> <P>Inside each zip are a whole bunch of csv files with the format</P> <PRE><CODE>header1, header2, header3, aTimestampIwant1 data1, data2, data3, dateData1 data1, data2, data3, dateData1 etc.... </CODE></PRE> <P>Now the python script is unzipping this file and creating a sourcetype based on the filename. It is also building a Splunk friendly format for Splunk to consume. This entire string is then sent to a TCP port that Splunk is listening on.</P> <P>Splunk recieves something like this in the one connection</P> <PRE><CODE>***SPLUNK*** host=myhost, source=theOriginalFilenameFromTheZip, sourcetype=extractedFromFilename\r\n header1=data1, header2=data2, header3=data3, aTimestampIwant1=dateData1\r\n header1=data1, header2=data2, header3=data3, aTimestampIwant1=dateData1\r\n etc..... </CODE></PRE> <P>now when I look at the data in Splunk it has the correct source and sourcetype.... but..</P> <P>There are a few things that I need to resolve.</P> <OL> <LI>Each 'event' in Splunk is the entire message of all rows of data. They are not split by the newlines I am passing through the stream</LI> <LI>It appears dates/times are not being translated when a column is of a common date type.</LI> <LI>more importantly the timestamp(_time) is not being found and it is using the time the data was recieved.</LI> </OL> <P>Now I know that some will answer create something in props.conf for each type of file. I am trying to avoid this as there are over 30 different types of files.</P> <P>If I can get this to work then it will allow this script to handle new file(source) types in the future should they start getting fed into the stream.</P> <P>Any help would be greatly appreciated.</P> Thu, 15 Sep 2011 06:45:56 GMT https://community.splunk.com/t5/Getting-Data-In/TCP-input-tcp-raw-not-splitting-rows-by-newline/m-p/76055#M15536 phoenixdigital 2011-09-15T06:45:56Z https://community.splunk.com/t5/Getting-Data-In/TCP-input-tcp-raw-not-splitting-rows-by-newline/m-p/76056#M15537 <P>Here is a screenshot of the data if that clears things up.</P> <P><A href="http://i56.tinypic.com/xmmyh1.gif">http://i56.tinypic.com/xmmyh1.gif</A></P> Thu, 15 Sep 2011 23:37:23 GMT https://community.splunk.com/t5/Getting-Data-In/TCP-input-tcp-raw-not-splitting-rows-by-newline/m-p/76056#M15537 phoenixdigital 2011-09-15T23:37:23Z https://community.splunk.com/t5/Getting-Data-In/TCP-input-tcp-raw-not-splitting-rows-by-newline/m-p/76057#M15538 <P>Did you manage to get a solution for this?</P> Mon, 11 Jan 2016 16:55:11 GMT https://community.splunk.com/t5/Getting-Data-In/TCP-input-tcp-raw-not-splitting-rows-by-newline/m-p/76057#M15538 isaacvb 2016-01-11T16:55:11Z