https://community.splunk.com/t5/Splunk-Search/Not-automatically-recognizing-fields/m-p/94808#M24507 <P>You should either put timestamps in your data, or set <CODE>DATETIME_CONFIG = CURRENT</CODE> for your sourcetype.</P> Tue, 30 Nov 2010 04:57:21 GMT gkanapathy 2010-11-30T04:57:21Z https://community.splunk.com/t5/Splunk-Search/Not-automatically-recognizing-fields/m-p/94805#M24504 <P>I have data that is not being recognized. A PowerShell script outputs data (that I copied to a file for testing) that looks like this:</P> <P>Identity = MAILHUB2\45191, DeliveryType = SmtpRelayToTiRg, Status = Ready, MessageCount = 0<BR /> Identity = MAILHUB2\45210, DeliveryType = MapiDelivery, Status = Ready, MessageCount = 0<BR /> Identity = MAILHUB2\45226, DeliveryType = MapiDelivery, Status = Ready, MessageCount = 0<BR /> Identity = MAILHUB2\45235, DeliveryType = MapiDelivery, Status = Ready, MessageCount = 0 </P> <P>I formatted the PowerShell output like what I saw in the manual, which described the formatting as "Splunk loves these files. It eats them like jam (or chocolate)", from <A href="http://www.splunk.com/base/Documentation/latest/AppManagement/Getdata" rel="nofollow">http://www.splunk.com/base/Documentation/latest/AppManagement/Getdata</A>. </P> <P>Well it doesn't like that formatting! I've played with this endlessly, changing commas, replacing = with :...no luck.</P> <P>Splunk idexes it like this:</P> <P>1<BR /> 11/25/10 1:56:07.000 PM<BR /> geCount = 0 host=localhost Options| sourcetype=access_combined Options| source=script Options</P> <P>2<BR /> 11/25/10 1:56:07.000 PM<BR /> Identity = MAILHUB1\Submission, DeliveryType = Undefined, Status = Ready, Messa host=localhost Options| sourcetype=access_combined Options| source=script Options</P> <P>3<BR /> 11/25/10 1:56:07.000 PM<BR /> Count = 0 host=localhost Options| sourcetype=access_combined Options| source=script Options</P> <P>Please help! Thanks.</P> Fri, 26 Nov 2010 04:02:58 GMT https://community.splunk.com/t5/Splunk-Search/Not-automatically-recognizing-fields/m-p/94805#M24504 jamesklassen 2010-11-26T04:02:58Z https://community.splunk.com/t5/Splunk-Search/Not-automatically-recognizing-fields/m-p/94806#M24505 <P>The data has a new line for each piece of data, I'm not sure why it's not formatted like that above. Each line starts with Identity</P> Fri, 26 Nov 2010 04:04:17 GMT https://community.splunk.com/t5/Splunk-Search/Not-automatically-recognizing-fields/m-p/94806#M24505 jamesklassen 2010-11-26T04:04:17Z https://community.splunk.com/t5/Splunk-Search/Not-automatically-recognizing-fields/m-p/94807#M24506 <P>I figured it out. I tried doing it as CSV, where the first line contains the column headings. I set the script sourcetype to csv-4. Here's the powershell formatting:</P> <P></P><HR /><P></P> <P>write-host "Identity, DeliveryType, Status, MessageCount"</P> <P>$output = $queue.identity.ToString() + ", " + $queue.deliverytype + ", " + $queue.status + ", " + $queue.MessageCount</P> <P>$output</P> <P></P><HR /><P></P> <P>Splunk now recognizes the field names, and I can alert on when my queues fill up...</P> Fri, 26 Nov 2010 04:41:58 GMT https://community.splunk.com/t5/Splunk-Search/Not-automatically-recognizing-fields/m-p/94807#M24506 jamesklassen 2010-11-26T04:41:58Z https://community.splunk.com/t5/Splunk-Search/Not-automatically-recognizing-fields/m-p/94808#M24507 <P>You should either put timestamps in your data, or set <CODE>DATETIME_CONFIG = CURRENT</CODE> for your sourcetype.</P> Tue, 30 Nov 2010 04:57:21 GMT https://community.splunk.com/t5/Splunk-Search/Not-automatically-recognizing-fields/m-p/94808#M24507 gkanapathy 2010-11-30T04:57:21Z