topic How to create a source type of file positional in Getting Data In

How to create a source type of file positional

rafamss — Thu, 12 Dec 2013 16:17:31 GMT

Hi guys,

I have a file that contains blocks of data that are positionals, they have the size of fields Folloowing sample:

For the first field, the position could be the first byte with size of 3 positions and each fields following have a rule specific.

0083410001049703K ARQB4_B8E4_07 000000TESTENT 2513145609235200000000000000 CP000000000000WW

How to create a source type for this ?

Re: How to create a source type of file positional

lguinn2 — Thu, 12 Dec 2013 16:51:16 GMT

When you tell Splunk to index the file, in inputs.conf (or in the GUI), give it a sourcetype name. Just choose a name that doesn't already exist and you will be fine ...

inputs.conf

[monitor:///path/to/mylogfile.log]
sourcetype = myNewSourcetype

Now you have a new sourcetype. To define the fields, you can use props.conf (and transforms.conf) quite easily.
For example, if the first field is 6 digits and the second field is 4 digits, you could do this

props.conf

[myNewSourcetype]
EXTRACT-mns1 = (?<Field1>\d{6})(?<Field2>\d{4})

You do need to know regular expressions, and you should probably also read

The docs Create and maintain field extractions...

This answer define custom fixed fields

Re: How to create a source type of file positional

rafamss — Thu, 12 Dec 2013 18:17:39 GMT

Hi lguinn,

I have one problem, in my file has blank spaces and special characters. When I put the regex for extract the information that i need, it's not understanding this.

Do you know the which I need to do ? I tried use \D \d or just the dot for get the information, without success.

PS. I looked in the links above.

Thanks.

Re: How to create a source type of file positional

rafamss — Thu, 12 Dec 2013 19:38:19 GMT

Hi Iguinn,

The problem was in the file. 😞

Thanks for your help.