https://community.splunk.com/t5/Splunk-Search/Extract-data-from-a-txt-file/m-p/467327#M131519 <P>Hello everyone,</P> <P>I have the attached file that is generated every night through my client's internal system and I need to index the information to collect metrics.</P> <P>I need these files to be indexed based on their date in the file name.</P> <P>Ex: The name of the file generated by the system is (qtd_ramal_diario_04042020.txt, qtd_ramal_diario_05042020.txt, etc.), so I need it to be indexed according to the time in the file name.</P> <P>I need to extract the information that is between ";" in separate fields with the names (Field1, Field2, Field3) respectively.</P> <P>Remembering that this file is variable, there are days that generate many lines and others do not.</P> <P>FIELD1 FIELD2 FIELD3<BR /> 77111010; 8; 614<BR /> 77111812; 1; 106<BR /> 77115070; 1; 58<BR /> 70666287; 4; 171<BR /> 70662245; 12; 708<BR /> 77196074; 23; 1439</P> <P>Is there a way to do this with Splunk?</P> <P>Below is an example of the generated log:</P> <PRE><CODE>78122960;2; 132 55002801;3; 279 8068256;8; 466 80661008;4; 134 55258888; 21;1843 76283160;1;25 55735555; 15;1027 55191240;1; 267 80662176;2; 249 790965034;3;93 55159608;1;20 80668021;1;19 76282680;2; 154 80664441;5; 536 71172794;1;28 55196157; 16;1208 55192425;3; 347 55196091;1;23 55192404;1;71 55196032; 24; 996 55196553;2;78 55196040;4;1087 55196426;1; 152 78111816;2; 157 78111847;1;30 78111815;6; 429 78111814;3; 233 55021902;2; 278 55034140;4; 159 550364331;1;80 550561127;2;78 </CODE></PRE> Wed, 30 Sep 2020 04:53:08 GMT leandromatperei 2020-09-30T04:53:08Z https://community.splunk.com/t5/Splunk-Search/Extract-data-from-a-txt-file/m-p/467327#M131519 <P>Hello everyone,</P> <P>I have the attached file that is generated every night through my client's internal system and I need to index the information to collect metrics.</P> <P>I need these files to be indexed based on their date in the file name.</P> <P>Ex: The name of the file generated by the system is (qtd_ramal_diario_04042020.txt, qtd_ramal_diario_05042020.txt, etc.), so I need it to be indexed according to the time in the file name.</P> <P>I need to extract the information that is between ";" in separate fields with the names (Field1, Field2, Field3) respectively.</P> <P>Remembering that this file is variable, there are days that generate many lines and others do not.</P> <P>FIELD1 FIELD2 FIELD3<BR /> 77111010; 8; 614<BR /> 77111812; 1; 106<BR /> 77115070; 1; 58<BR /> 70666287; 4; 171<BR /> 70662245; 12; 708<BR /> 77196074; 23; 1439</P> <P>Is there a way to do this with Splunk?</P> <P>Below is an example of the generated log:</P> <PRE><CODE>78122960;2; 132 55002801;3; 279 8068256;8; 466 80661008;4; 134 55258888; 21;1843 76283160;1;25 55735555; 15;1027 55191240;1; 267 80662176;2; 249 790965034;3;93 55159608;1;20 80668021;1;19 76282680;2; 154 80664441;5; 536 71172794;1;28 55196157; 16;1208 55192425;3; 347 55196091;1;23 55192404;1;71 55196032; 24; 996 55196553;2;78 55196040;4;1087 55196426;1; 152 78111816;2; 157 78111847;1;30 78111815;6; 429 78111814;3; 233 55021902;2; 278 55034140;4; 159 550364331;1;80 550561127;2;78 </CODE></PRE> Wed, 30 Sep 2020 04:53:08 GMT https://community.splunk.com/t5/Splunk-Search/Extract-data-from-a-txt-file/m-p/467327#M131519 leandromatperei 2020-09-30T04:53:08Z https://community.splunk.com/t5/Splunk-Search/Extract-data-from-a-txt-file/m-p/467328#M131520 <P>props.conf</P> <PRE><CODE>[delim_csv] DATETIME_CONFIG = NONE FIELD_DELIMITER = ; FIELD_NAMES = field1,field2,field3 LINE_BREAKER = ([\r\n]+) NO_BINARY_CHECK = 1 SHOULD_LINEMERGE = 0 TRANSFORMS-time = timestampeval pulldown_type = 1 disabled = false </CODE></PRE> <P>transforms.conf</P> <PRE><CODE>[timestampeval] INGEST_EVAL = _time=strptime(replace(source,".*?(\d+)\.txt","\1"),"%d%m%Y") </CODE></PRE> <P>Please tell me.<BR /> 1. Why don't you provide necessary information from the beginning?<BR /> 2. I have provided reference materials, but did not understand where?</P> <P>Occasionally, I think the questioner may not be asking for a solution.</P> <P>For example<BR /> People who just say they don't work<BR /> People who do not provide the information needed to create a query</P> <H2>Please answer me because I want to solve my question.</H2> <PRE><CODE>| makeresults | eval _raw="78122960;2; 132 55002801;3; 279 8068256;8; 466 80661008;4; 134 55258888; 21;1843 76283160;1;25 55735555; 15;1027 55191240;1; 267 80662176;2; 249 790965034;3;93 55159608;1;20 80668021;1;19 76282680;2; 154 80664441;5; 536 71172794;1;28 55196157; 16;1208 55192425;3; 347 55196091;1;23 55192404;1;71 55196032; 24; 996 55196553;2;78 55196040;4;1087 55196426;1; 152 78111816;2; 157 78111847;1;30 78111815;6; 429 78111814;3; 233 55021902;2; 278 55034140;4; 159 550364331;1;80 550561127;2;78" | multikv noheader=t | foreach * [ eval &lt;&lt;FIELD&gt;&gt; = trim('&lt;&lt;FIELD&gt;&gt;')] | rename Column_* as FIELD* | fields - _* linecount </CODE></PRE> <P>you can do it by search.</P> Mon, 06 Apr 2020 20:14:03 GMT https://community.splunk.com/t5/Splunk-Search/Extract-data-from-a-txt-file/m-p/467328#M131520 to4kawa 2020-04-06T20:14:03Z https://community.splunk.com/t5/Splunk-Search/Extract-data-from-a-txt-file/m-p/467329#M131521 <P>Thank you for your help.</P> <P>This file is generated every day, what would the configuration of <STRONG>props.conf</STRONG> look like?</P> Mon, 06 Apr 2020 20:41:19 GMT https://community.splunk.com/t5/Splunk-Search/Extract-data-from-a-txt-file/m-p/467329#M131521 leandromatperei 2020-04-06T20:41:19Z https://community.splunk.com/t5/Splunk-Search/Extract-data-from-a-txt-file/m-p/467330#M131522 <P>use <CODE>FIELD_DELIMITER</CODE> in props.conf</P> Mon, 06 Apr 2020 21:18:42 GMT https://community.splunk.com/t5/Splunk-Search/Extract-data-from-a-txt-file/m-p/467330#M131522 to4kawa 2020-04-06T21:18:42Z https://community.splunk.com/t5/Splunk-Search/Extract-data-from-a-txt-file/m-p/467331#M131523 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/184221">@to4kawa</a> , I configured the structure below using props.conf and transform.conf, however, the following points did not work:</P> <P>My file name maintains a structure "qtd_ramal_diario_DDMMAAAA.txt", for example, the file "qtd_ramal_diario_05042020.txt" needs to be indexed in Splunk on 05/05/2020, how to select how to use this configuration file?</P> <UL> <LI>Another point I need that all the lines of my file are indexed to each of the events in Splunk, sending the complete file for analysis.</LI> </UL> <P>For example, if my file has 200 lines, it needs to be 200 events in Splunk.</P> <PRE><CODE>**props.conf** [linux-nice] REPORT-fields = commafields **transforms.conf** [commafields] DELIMS = ";" FIELDS = field1, field2, field3 </CODE></PRE> Wed, 30 Sep 2020 04:53:24 GMT https://community.splunk.com/t5/Splunk-Search/Extract-data-from-a-txt-file/m-p/467331#M131523 leandromatperei 2020-09-30T04:53:24Z https://community.splunk.com/t5/Splunk-Search/Extract-data-from-a-txt-file/m-p/467332#M131524 <BLOCKQUOTE> <P><A href="https://www.dropbox.com/s/zfr9g9e6n8hsfzj/qtd_ramal_diario_05042020.txt?dl=0">https://www.dropbox.com/s/zfr9g9e6n8hsfzj/qtd_ramal_diario_05042020.txt?dl=0</A></P> </BLOCKQUOTE> Tue, 07 Apr 2020 13:33:46 GMT https://community.splunk.com/t5/Splunk-Search/Extract-data-from-a-txt-file/m-p/467332#M131524 leandromatperei 2020-04-07T13:33:46Z https://community.splunk.com/t5/Splunk-Search/Extract-data-from-a-txt-file/m-p/467333#M131525 <P>see<BR /> <A href="https://answers.splunk.com/answers/311452/how-to-use-date-in-filename-as-the-timestamp-for-e.html">https://answers.splunk.com/answers/311452/how-to-use-date-in-filename-as-the-timestamp-for-e.html</A></P> Tue, 07 Apr 2020 23:34:37 GMT https://community.splunk.com/t5/Splunk-Search/Extract-data-from-a-txt-file/m-p/467333#M131525 to4kawa 2020-04-07T23:34:37Z