<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:taxo="http://purl.org/rss/1.0/modules/taxonomy/" version="2.0">
  <channel>
    <title>topic Re: trouble getting started in Getting Data In</title>
    <link>https://community.splunk.com/t5/Getting-Data-In/trouble-getting-started/m-p/30847#M5427</link>
    <description>&lt;P&gt;Define a sourcetype in the props.conf, apply this sourcetype in inputs.conf&lt;BR /&gt;
then you can pick automatic header detection, or define a fix name for the fields.&lt;/P&gt;

&lt;P&gt;see &lt;A href="http://docs.splunk.com/Documentation/Splunk/4.3.1/Data/Extractfieldsfromfileheadersatindextime"&gt;http://docs.splunk.com/Documentation/Splunk/4.3.1/Data/Extractfieldsfromfileheadersatindextime&lt;/A&gt; &lt;/P&gt;</description>
    <pubDate>Thu, 19 Apr 2012 12:41:08 GMT</pubDate>
    <dc:creator>yannK</dc:creator>
    <dc:date>2012-04-19T12:41:08Z</dc:date>
    <item>
      <title>trouble getting started</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/trouble-getting-started/m-p/30846#M5426</link>
      <description>&lt;P&gt;I'm trying to find a way to analyse iTunes log files - I'm pretty sure Splunk can help me here, have got some data in but need some help.&lt;/P&gt;

&lt;P&gt;My log data look like this, I have 1 log file per day:&lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt;ARTIST_ID   ITUNES_ID   ACTION_TYPE TITLE   URL EPISODE_ID  EPISODE_TITLE   EPISODE_TYPE    STOREFRONT  USERAGENT   IP_ADDRESS  TIMESTAMP
402424201   405050927   Browse  Psychology  &lt;A href="http://itunes.apple.com/WebObjects/DZR.woa/wa/viewPodcast?cc=cn&amp;amp;id=405050927" target="test_blank"&gt;http://itunes.apple.com/WebObjects/DZR.woa/wa/viewPodcast?cc=cn&amp;amp;id=405050927&lt;/A&gt;    0           143465  iTunes/10.5.2 (Windows; Microsoft Windows XP Professional Service Pack 3 (Build 2600)) AppleWebKit/534.52.7 59.40.x.x   2012-01-19 00:08:29.000-0800
402424201   405050927   Browse  Psychology  &lt;A href="http://itunes.apple.com/WebObjects/DZR.woa/wa/viewPodcast?cc=de&amp;amp;id=405050927" target="test_blank"&gt;http://itunes.apple.com/WebObjects/DZR.woa/wa/viewPodcast?cc=de&amp;amp;id=405050927&lt;/A&gt;    0           143443  iTunes/10.5.2 (Macintosh; Intel Mac OS X 10.6.8) AppleWebKit/534.52.7   77.190.x.x  2012-01-19 00:33:29.000-0800
402424201   420615508   Browse  Sociology   &lt;A href="http://itunes.apple.com/WebObjects/DZR.woa/wa/viewPodcast?cc=us&amp;amp;id=420615508" target="test_blank"&gt;http://itunes.apple.com/WebObjects/DZR.woa/wa/viewPodcast?cc=us&amp;amp;id=420615508&lt;/A&gt;    0           143441  iTunes/10.5.2 (Macintosh; Intel Mac OS X 10.6.8) AppleWebKit/534.52.7   174.117.x.x 2012-01-19 00:36:14.000-0800
402424201   405050927   Stream  Psychology  &lt;A href="http://itunes.apple.com/WebObjects/DZR.woa/wa/viewPodcast?cc=de&amp;amp;id=405050927" target="test_blank"&gt;http://itunes.apple.com/WebObjects/DZR.woa/wa/viewPodcast?cc=de&amp;amp;id=405050927&lt;/A&gt;    89066156    Deal or No Deal, Terrorism and Bicycle Accidents    video   143443  iTunes/10.5.2 (Macintosh; Intel Mac OS X 10.6.8) AppleWebKit/534.52.7   77.190.x.x  2012-01-19 00:36:33.000-0800
&lt;/CODE&gt;&lt;/PRE&gt;

&lt;P&gt;I have managed to get it to find the correct timestamp using a regexp and saved a source type but when I get it to index other data files from the same directory using the same source type and then view the data in search it's created a separate source type for each new file and not got the correct timestamp or breaks.&lt;/P&gt;

&lt;P&gt;Also, how do I deal with the first line of field headings?&lt;/P&gt;

&lt;P&gt;Can anyone help or point me to a basic tutorial?&lt;/P&gt;</description>
      <pubDate>Thu, 19 Apr 2012 11:20:32 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/trouble-getting-started/m-p/30846#M5426</guid>
      <dc:creator>mikehughes</dc:creator>
      <dc:date>2012-04-19T11:20:32Z</dc:date>
    </item>
    <item>
      <title>Re: trouble getting started</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/trouble-getting-started/m-p/30847#M5427</link>
      <description>&lt;P&gt;Define a sourcetype in the props.conf, apply this sourcetype in inputs.conf&lt;BR /&gt;
then you can pick automatic header detection, or define a fix name for the fields.&lt;/P&gt;

&lt;P&gt;see &lt;A href="http://docs.splunk.com/Documentation/Splunk/4.3.1/Data/Extractfieldsfromfileheadersatindextime"&gt;http://docs.splunk.com/Documentation/Splunk/4.3.1/Data/Extractfieldsfromfileheadersatindextime&lt;/A&gt; &lt;/P&gt;</description>
      <pubDate>Thu, 19 Apr 2012 12:41:08 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/trouble-getting-started/m-p/30847#M5427</guid>
      <dc:creator>yannK</dc:creator>
      <dc:date>2012-04-19T12:41:08Z</dc:date>
    </item>
  </channel>
</rss>

