<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:taxo="http://purl.org/rss/1.0/modules/taxonomy/" version="2.0">
  <channel>
    <title>topic Re: transforms.conf delimiter ASCII in Getting Data In</title>
    <link>https://community.splunk.com/t5/Getting-Data-In/transforms-conf-delimiter-ASCII/m-p/193900#M38630</link>
    <description>&lt;P&gt;Great!&lt;BR /&gt;
DELIMS do not work, but REGEX works very fine.&lt;BR /&gt;
Thanks a lot&lt;/P&gt;</description>
    <pubDate>Wed, 13 May 2015 17:22:50 GMT</pubDate>
    <dc:creator>pierre_weg</dc:creator>
    <dc:date>2015-05-13T17:22:50Z</dc:date>
    <item>
      <title>transforms.conf delimiter ASCII</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/transforms-conf-delimiter-ASCII/m-p/193896#M38626</link>
      <description>&lt;P&gt;Hi all!&lt;/P&gt;

&lt;P&gt;A have a log file that use ASCII Dec 031 (US - Unit Separator) as delimiter.&lt;BR /&gt;
How can I configure my transforms and props to work with this delimiter?&lt;/P&gt;

&lt;P&gt;Thanks a lot.&lt;/P&gt;</description>
      <pubDate>Tue, 12 May 2015 17:46:17 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/transforms-conf-delimiter-ASCII/m-p/193896#M38626</guid>
      <dc:creator>pierre_weg</dc:creator>
      <dc:date>2015-05-12T17:46:17Z</dc:date>
    </item>
    <item>
      <title>Re: transforms.conf delimiter ASCII</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/transforms-conf-delimiter-ASCII/m-p/193897#M38627</link>
      <description>&lt;P&gt;Use RegEx encoding for this character: &lt;CODE&gt;\x1F&lt;/CODE&gt;.&lt;/P&gt;</description>
      <pubDate>Tue, 12 May 2015 18:45:12 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/transforms-conf-delimiter-ASCII/m-p/193897#M38627</guid>
      <dc:creator>woodcock</dc:creator>
      <dc:date>2015-05-12T18:45:12Z</dc:date>
    </item>
    <item>
      <title>Re: transforms.conf delimiter ASCII</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/transforms-conf-delimiter-ASCII/m-p/193898#M38628</link>
      <description>&lt;P&gt;I set my props as follow:&lt;BR /&gt;
[mailheader]&lt;BR /&gt;
NO_BINARY_CHECK = 1&lt;BR /&gt;
pulldown_type = 1&lt;BR /&gt;
CHECK_FOR_HEADER = false&lt;BR /&gt;
REPORT-AutoHeader = MailHeader&lt;/P&gt;

&lt;P&gt;and my transforms as follow:&lt;BR /&gt;
[MailHeader]&lt;BR /&gt;
DELIMS="\1f"&lt;BR /&gt;
FIELDS="FILENAME","TIMESTAMP","IP","FROM","RETURN_PATH","TO","CC","SUBJECT","AUTH"&lt;/P&gt;

&lt;P&gt;Is not running... &lt;span class="lia-unicode-emoji" title=":disappointed_face:"&gt;😞&lt;/span&gt;&lt;BR /&gt;
The fields aro not correctly separated.&lt;/P&gt;</description>
      <pubDate>Mon, 28 Sep 2020 19:57:24 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/transforms-conf-delimiter-ASCII/m-p/193898#M38628</guid>
      <dc:creator>pierre_weg</dc:creator>
      <dc:date>2020-09-28T19:57:24Z</dc:date>
    </item>
    <item>
      <title>Re: transforms.conf delimiter ASCII</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/transforms-conf-delimiter-ASCII/m-p/193899#M38629</link>
      <description>&lt;P&gt;I am not sure if &lt;CODE&gt;DELIMS&lt;/CODE&gt; method will work but try this &lt;CODE&gt;transforms.conf&lt;/CODE&gt; and see:&lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt;[MailHeader]
DELIMS="\x1F"
FIELDS=FILENAME, TIMESTAMP, IP, FROM, RETURN_PATH, TO, CC, SUBJECT, AUTH
&lt;/CODE&gt;&lt;/PRE&gt;

&lt;P&gt;If you can't make it work then keep your &lt;CODE&gt;props.conf&lt;/CODE&gt; the same and try this for &lt;CODE&gt;transforms.conf&lt;/CODE&gt;:&lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt;[MailHeader]
REGEX=^([^\x1F]*)\x1F([^\x1F]*)\x1F([^\x1F]*)\x1F([^\x1F]*)\x1F([^\x1F]*)\x1F([^\x1F]*)\x1F([^\x1F]*)\x1F([^\x1F]*)\x1F([^\x1F]*)
FORMAT=FILENAME::$1 TIMESTAMP::$2 IP::$3 FROM::$4 RETURN_PATH::$5 TO::$6 CC::$7 SUBJECT::$8 AUTH::$9
&lt;/CODE&gt;&lt;/PRE&gt;</description>
      <pubDate>Wed, 13 May 2015 15:17:38 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/transforms-conf-delimiter-ASCII/m-p/193899#M38629</guid>
      <dc:creator>woodcock</dc:creator>
      <dc:date>2015-05-13T15:17:38Z</dc:date>
    </item>
    <item>
      <title>Re: transforms.conf delimiter ASCII</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/transforms-conf-delimiter-ASCII/m-p/193900#M38630</link>
      <description>&lt;P&gt;Great!&lt;BR /&gt;
DELIMS do not work, but REGEX works very fine.&lt;BR /&gt;
Thanks a lot&lt;/P&gt;</description>
      <pubDate>Wed, 13 May 2015 17:22:50 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/transforms-conf-delimiter-ASCII/m-p/193900#M38630</guid>
      <dc:creator>pierre_weg</dc:creator>
      <dc:date>2015-05-13T17:22:50Z</dc:date>
    </item>
  </channel>
</rss>

