topic pipe separated instead of csv in Splunk Search https://community.splunk.com/t5/Splunk-Search/pipe-separated-instead-of-csv/m-p/56107#M179837 <H2>I was wondering if it is possible to build a regex for a pipe separated file… Where the Header row carries the name of the field. Example – </H2> <P>EmployeeID|FirstName|LastName|MiddleName|GivenName|EmployeeStatus|EmployeeType|Action|EffectiveDate|Hire_Date|TerminationDate|RehireDate|CO_ID|Paygroup|DISTRICT|OpsDistrict|Store|JobCode|Title|Department|Country|HiringManager_Emp_ID|Supervisor_Emp_ID|StoreMenuLevel|UserRegion|UserDistrict|EmployeeClass|HomeDeptName|ManagerLevelCode|LastModifiedDate||ExpBatchDate<BR /> 013216|Corey|Forey|M||A|F|PAY|2012-07-01|1999-04-03|1900-01-01|1900-01-01|GCS|GC1|033|033|339|1071|Operations Manager|575000|NULL|32342|32342|9|2|033|OPS|Ops Managers|3|2012-07-17|2013-03-08<BR /> 013243|Jose|Fose|M||A|F|PAY|2012-07-01|1999-04-05|1900-01-01|1900-01-01|GCS|GC1|015|015|226|1983|Sales Associate|415000|NULL|51184|51184|6|1|015|SLS|Asst Manager|6|2013-03-01|2013-03-08</P> <HR /> <P>It of course works fine if I convert the file to a csv file. So basically I want to use the csv source type but use “|” instead of comma…</P> Mon, 28 Sep 2020 13:28:57 GMT chetanvartak 2020-09-28T13:28:57Z pipe separated instead of csv https://community.splunk.com/t5/Splunk-Search/pipe-separated-instead-of-csv/m-p/56107#M179837 <H2>I was wondering if it is possible to build a regex for a pipe separated file… Where the Header row carries the name of the field. Example – </H2> <P>EmployeeID|FirstName|LastName|MiddleName|GivenName|EmployeeStatus|EmployeeType|Action|EffectiveDate|Hire_Date|TerminationDate|RehireDate|CO_ID|Paygroup|DISTRICT|OpsDistrict|Store|JobCode|Title|Department|Country|HiringManager_Emp_ID|Supervisor_Emp_ID|StoreMenuLevel|UserRegion|UserDistrict|EmployeeClass|HomeDeptName|ManagerLevelCode|LastModifiedDate||ExpBatchDate<BR /> 013216|Corey|Forey|M||A|F|PAY|2012-07-01|1999-04-03|1900-01-01|1900-01-01|GCS|GC1|033|033|339|1071|Operations Manager|575000|NULL|32342|32342|9|2|033|OPS|Ops Managers|3|2012-07-17|2013-03-08<BR /> 013243|Jose|Fose|M||A|F|PAY|2012-07-01|1999-04-05|1900-01-01|1900-01-01|GCS|GC1|015|015|226|1983|Sales Associate|415000|NULL|51184|51184|6|1|015|SLS|Asst Manager|6|2013-03-01|2013-03-08</P> <HR /> <P>It of course works fine if I convert the file to a csv file. So basically I want to use the csv source type but use “|” instead of comma…</P> Mon, 28 Sep 2020 13:28:57 GMT https://community.splunk.com/t5/Splunk-Search/pipe-separated-instead-of-csv/m-p/56107#M179837 chetanvartak 2020-09-28T13:28:57Z Re: pipe separated instead of csv https://community.splunk.com/t5/Splunk-Search/pipe-separated-instead-of-csv/m-p/56108#M179838 <P>You could use a props/transform if you reuse the same file for output.</P> <P>In props.conf:</P> <P><CODE>[your_sourcetype]<BR /> REPORT-pullpipes = st-pull-pipe</CODE></P> <P>In transforms.conf:</P> <P><CODE>[st-pull-pipe]<BR /> DELIMS = "|"<BR /> FIELDS = "EmployeeID", "FirstName", "LastName", "MiddleName", etc.....<BR /> </CODE></P> Fri, 08 Mar 2013 19:37:30 GMT https://community.splunk.com/t5/Splunk-Search/pipe-separated-instead-of-csv/m-p/56108#M179838 alacercogitatus 2013-03-08T19:37:30Z