<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:taxo="http://purl.org/rss/1.0/modules/taxonomy/" version="2.0">
  <channel>
    <title>topic Re: Importing Text file with DAT extension separated by | in Getting Data In</title>
    <link>https://community.splunk.com/t5/Getting-Data-In/Importing-Text-file-with-DAT-extension-separated-by/m-p/135727#M27947</link>
    <description>&lt;P&gt;Just use a regular [monitor] in for inputting the files in the directory (i.e. in inputs.conf)&lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt;[monitor:///my/dir/*.dat]
sourcetype=my_dat
index=my_index
&lt;/CODE&gt;&lt;/PRE&gt;

&lt;P&gt;In props.conf, you might need to specify TIME_FORMAT&lt;BR /&gt;
For the field extraction, use a REPORT in props.conf, and use FIELDS and DELIMS in transforms.conf&lt;/P&gt;

&lt;P&gt;props.conf&lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt;[my_dat]
TIME_FORMAT = %Y%m%d %H%M%S
REPORT-dat = dat_pipes
&lt;/CODE&gt;&lt;/PRE&gt;

&lt;P&gt;transforms.conf&lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt;[dat-pipes]
DELIMS = "|"
FIELDS = field1, field2, field3 ... field20
&lt;/CODE&gt;&lt;/PRE&gt;

&lt;P&gt;You should probably read the Getting Data In section of the docs, and check out the documentation on REPORT field extractions.&lt;/P&gt;

&lt;P&gt;EDIT: typo&lt;/P&gt;</description>
    <pubDate>Thu, 04 Jun 2015 14:07:32 GMT</pubDate>
    <dc:creator>kristian_kolb</dc:creator>
    <dc:date>2015-06-04T14:07:32Z</dc:date>
    <item>
      <title>Importing Text file with DAT extension separated by |</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Importing-Text-file-with-DAT-extension-separated-by/m-p/135726#M27946</link>
      <description>&lt;P&gt;Good Morning&lt;/P&gt;

&lt;P&gt;First off i been using Splunk for a year but mostly importing Logs files from Firewalls and Windows Servers.&lt;BR /&gt;
Now i been ask to import information from a VoIP platform it comes in text files with DAT extensions and are separated by |&lt;/P&gt;

&lt;P&gt;I been trying to import the folder containing the files but i get a triangle error handling this .. i try importing this format as a CSV and other but i just cant get splunk to imported or even read it.&lt;BR /&gt;
Here is a simple of the data inside the DAT file&lt;/P&gt;

&lt;P&gt;0|5558013|20150103 234659|5558888|11||11001100||634|0|201|2061||PRDCWR7B00||10||1112068888||106&lt;BR /&gt;
0|5557815|20150103 235656|5551634|1||11001000||201|14||||PRDCWR7B00|1123011634|10||||8&lt;BR /&gt;
0|5554908|20150103 235000|5551349|7||11001100||551|2|611|0||CS2KTOHUAWEI|1123051349|10||||68&lt;BR /&gt;
0|5556438|20150103 235249|5555224|39||11001000||551|18||||PRDCWRJF7B00|1123995224|10||||383&lt;/P&gt;

&lt;P&gt;Am sure its my lack of experience with importing files in splunk&lt;BR /&gt;
Can anyone point me in the right direction&lt;BR /&gt;
Thanks&lt;/P&gt;</description>
      <pubDate>Thu, 04 Jun 2015 13:34:25 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Importing-Text-file-with-DAT-extension-separated-by/m-p/135726#M27946</guid>
      <dc:creator>hneuman</dc:creator>
      <dc:date>2015-06-04T13:34:25Z</dc:date>
    </item>
    <item>
      <title>Re: Importing Text file with DAT extension separated by |</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Importing-Text-file-with-DAT-extension-separated-by/m-p/135727#M27947</link>
      <description>&lt;P&gt;Just use a regular [monitor] in for inputting the files in the directory (i.e. in inputs.conf)&lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt;[monitor:///my/dir/*.dat]
sourcetype=my_dat
index=my_index
&lt;/CODE&gt;&lt;/PRE&gt;

&lt;P&gt;In props.conf, you might need to specify TIME_FORMAT&lt;BR /&gt;
For the field extraction, use a REPORT in props.conf, and use FIELDS and DELIMS in transforms.conf&lt;/P&gt;

&lt;P&gt;props.conf&lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt;[my_dat]
TIME_FORMAT = %Y%m%d %H%M%S
REPORT-dat = dat_pipes
&lt;/CODE&gt;&lt;/PRE&gt;

&lt;P&gt;transforms.conf&lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt;[dat-pipes]
DELIMS = "|"
FIELDS = field1, field2, field3 ... field20
&lt;/CODE&gt;&lt;/PRE&gt;

&lt;P&gt;You should probably read the Getting Data In section of the docs, and check out the documentation on REPORT field extractions.&lt;/P&gt;

&lt;P&gt;EDIT: typo&lt;/P&gt;</description>
      <pubDate>Thu, 04 Jun 2015 14:07:32 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Importing-Text-file-with-DAT-extension-separated-by/m-p/135727#M27947</guid>
      <dc:creator>kristian_kolb</dc:creator>
      <dc:date>2015-06-04T14:07:32Z</dc:date>
    </item>
  </channel>
</rss>

