https://community.splunk.com/t5/Splunk-Search/Extract-data-from-text-file-without-Headers/m-p/148764#M185427 <P>Also, please let me know if this can be done from splunk forwarders or do we need to go to splunk searchhead.Please let me know in case I need to do any changes from splunk UI as well</P> Tue, 19 Nov 2013 23:11:41 GMT shilpi 2013-11-19T23:11:41Z https://community.splunk.com/t5/Splunk-Search/Extract-data-from-text-file-without-Headers/m-p/148762#M185425 <P>I have a text with values separated by spaces.This file does not have any headers. I need to add headers to this file and use this file in splunk. I can not manually do that as I will be getting a similar file every 15 minutes daily. Is there any way to do it using field extraction or something else in splunk?</P> Tue, 19 Nov 2013 22:48:40 GMT https://community.splunk.com/t5/Splunk-Search/Extract-data-from-text-file-without-Headers/m-p/148762#M185425 shilpi 2013-11-19T22:48:40Z https://community.splunk.com/t5/Splunk-Search/Extract-data-from-text-file-without-Headers/m-p/148763#M185426 <P>Space separated files are easy to index if the files all have the same field composition.<BR /> If you could put a header in every file, would it always be the same header? If so, post it.</P> Tue, 19 Nov 2013 22:55:08 GMT https://community.splunk.com/t5/Splunk-Search/Extract-data-from-text-file-without-Headers/m-p/148763#M185426 lukejadamec 2013-11-19T22:55:08Z https://community.splunk.com/t5/Splunk-Search/Extract-data-from-text-file-without-Headers/m-p/148764#M185427 <P>Also, please let me know if this can be done from splunk forwarders or do we need to go to splunk searchhead.Please let me know in case I need to do any changes from splunk UI as well</P> Tue, 19 Nov 2013 23:11:41 GMT https://community.splunk.com/t5/Splunk-Search/Extract-data-from-text-file-without-Headers/m-p/148764#M185427 shilpi 2013-11-19T23:11:41Z https://community.splunk.com/t5/Splunk-Search/Extract-data-from-text-file-without-Headers/m-p/148765#M185428 <P>Yeah header will always be the same</P> Tue, 19 Nov 2013 23:12:31 GMT https://community.splunk.com/t5/Splunk-Search/Extract-data-from-text-file-without-Headers/m-p/148765#M185428 shilpi 2013-11-19T23:12:31Z https://community.splunk.com/t5/Splunk-Search/Extract-data-from-text-file-without-Headers/m-p/148766#M185429 <P>Can you post the header, or some obfuscated reference header that you'll understand when we stick it in a configuration example?</P> Tue, 19 Nov 2013 23:15:51 GMT https://community.splunk.com/t5/Splunk-Search/Extract-data-from-text-file-without-Headers/m-p/148766#M185429 lukejadamec 2013-11-19T23:15:51Z https://community.splunk.com/t5/Splunk-Search/Extract-data-from-text-file-without-Headers/m-p/148767#M185430 <P>The inputs.conf file needs to be on the forwarder that is monitoring the log directory. The props.conf and transforms.conf should be in the splunk\etc\system\local\ directory of the indexer. If those files don’t exist, then create them – make sure they have a .conf extension and not a .conf.txt extension.<BR /> You may need to further refine the configs, but if so you’ll need to provide more information.</P> <P>inputs.conf</P> <PRE><CODE>[monitor://blankpathtofiledirectory] disabled = false index = default sourcetype = yourblanksourcetype </CODE></PRE> <P>props.conf</P> <PRE><CODE>[yourblanksourcetype] SHOULD_LINEMERGE = false TIME_FORMAT = blank MAX_TIMESTAMP_LOOKAHEAD = blank REPORT-spaced = spacedfields </CODE></PRE> <P>transforms.conf</P> <PRE><CODE>[spacedfields] DELIMS = “ “ FIELDS = list of comma separated fields </CODE></PRE> Tue, 19 Nov 2013 23:33:43 GMT https://community.splunk.com/t5/Splunk-Search/Extract-data-from-text-file-without-Headers/m-p/148767#M185430 lukejadamec 2013-11-19T23:33:43Z https://community.splunk.com/t5/Splunk-Search/Extract-data-from-text-file-without-Headers/m-p/148768#M185431 <P>why the explicit use of 'blank'? </P> <P>/K</P> Wed, 20 Nov 2013 10:04:23 GMT https://community.splunk.com/t5/Splunk-Search/Extract-data-from-text-file-without-Headers/m-p/148768#M185431 kristian_kolb 2013-11-20T10:04:23Z https://community.splunk.com/t5/Splunk-Search/Extract-data-from-text-file-without-Headers/m-p/148769#M185432 <P>So the person asking the question knows where information is missing.</P> Wed, 20 Nov 2013 15:59:31 GMT https://community.splunk.com/t5/Splunk-Search/Extract-data-from-text-file-without-Headers/m-p/148769#M185432 lukejadamec 2013-11-20T15:59:31Z