https://community.splunk.com/t5/Splunk-Search/How-do-index-TAB-delimited-files/m-p/10932#M625 <P>perhaps you mean</P> <PRE><CODE>DELIMS=\t </CODE></PRE> Tue, 28 Jul 2015 12:04:01 GMT landen99 2015-07-28T12:04:01Z https://community.splunk.com/t5/Splunk-Search/How-do-index-TAB-delimited-files/m-p/10924#M617 <P>I am looking to read into SPLUNK a tab delimited file. But most of what I see is key based Field Extractions (, space, etc.)</P> <P>Is there an example of how this might be done with TAB?</P> Mon, 05 Apr 2010 23:58:21 GMT https://community.splunk.com/t5/Splunk-Search/How-do-index-TAB-delimited-files/m-p/10924#M617 Alan_Bradley 2010-04-05T23:58:21Z https://community.splunk.com/t5/Splunk-Search/How-do-index-TAB-delimited-files/m-p/10925#M618 <P>You should be able to make it work as with CSV files:</P> <PRE><CODE>[mysourcetype] DELIMS = "\t" FIELDS = field1,f2,fieldthree </CODE></PRE> <P>but specifying <CODE>\t</CODE> instead of <CODE>,</CODE> as the delimiter.</P> Tue, 06 Apr 2010 01:11:23 GMT https://community.splunk.com/t5/Splunk-Search/How-do-index-TAB-delimited-files/m-p/10925#M618 gkanapathy 2010-04-06T01:11:23Z https://community.splunk.com/t5/Splunk-Search/How-do-index-TAB-delimited-files/m-p/10926#M619 <P>where can i configutre this?</P> Fri, 21 Oct 2011 00:56:35 GMT https://community.splunk.com/t5/Splunk-Search/How-do-index-TAB-delimited-files/m-p/10926#M619 camaney 2011-10-21T00:56:35Z https://community.splunk.com/t5/Splunk-Search/How-do-index-TAB-delimited-files/m-p/10927#M620 <P>According to <A href="http://docs.splunk.com/Documentation/Splunk/4.3.4/Knowledge/Createandmaintainsearch-timefieldextractionsthroughconfigurationfiles#Create_advanced_search-time_field_extractions_with_field_transforms">this</A>, you configure this in transforms.conf BUT you also need a basic entry in props.conf that connects to the transform, e.g.:<BR /> include this in props.conf:</P> <PRE><CODE>[My Source Type 1] NO_BINARY_CHECK = 1 SHOULD_LINEMERGE = false pulldown_type = 1 REPORT-myname = mydelim </CODE></PRE> <P>And include this in transforms.conf:</P> <PRE><CODE>[mydelim] DELIMS = "\t" FIELDS = "TimeStamp","Colour","First Name","Shape" </CODE></PRE> <P>Both files should reside in <BR /> $SPLUNK_HOME/etc/system/local/<BR /><BR /> e.g. C:\Program Files\Splunk\etc\system\local</P> <P>I have described this exact process in more detail <A href="http://splunk-base.splunk.com/answers/63750/cant-extract-fields-names-from-tab-delimited-source">here</A> - including the surprisingly difficult task of seeing the new field names once you have extracted them!</P> Mon, 29 Oct 2012 23:57:16 GMT https://community.splunk.com/t5/Splunk-Search/How-do-index-TAB-delimited-files/m-p/10927#M620 nosignal 2012-10-29T23:57:16Z https://community.splunk.com/t5/Splunk-Search/How-do-index-TAB-delimited-files/m-p/10928#M621 <P>nosignal, i tested your sample and in my case perfect worked. Thank you!</P> Thu, 08 Aug 2013 16:33:49 GMT https://community.splunk.com/t5/Splunk-Search/How-do-index-TAB-delimited-files/m-p/10928#M621 rafamss 2013-08-08T16:33:49Z https://community.splunk.com/t5/Splunk-Search/How-do-index-TAB-delimited-files/m-p/10929#M622 <P>Hi nosignal,</P> <P>I included above things in props.conf and transforms.conf. But in preview of my log file I am getting the output like this.</P> <P>Timestamp Event<BR /> 1 11/19/13 6:46:50.000 PM "Time" "Temparature"</P> <P>2 11/12/13 4:23:52.051 PM "11/12/2013 16:23:52.051" "+50"</P> <P>3 11/12/13 4:23:53.051 PM "11/12/2013 16:23:53.051" "-40"</P> <P>4 11/12/13 4:23:54.051 PM "11/12/2013 16:23:54.051" "-60"</P> <P>5 11/12/13 4:23:55.051 PM "11/12/2013 16:23:55.051" "+50"</P> <P>6 11/12/13 4:23:55.051 PM</P> <P>I did follow by querying this like you said ..|stats dc(*) as *. But no use. Can you please help me in this regard?</P> <P>Thanks,<BR /> Tiru</P> Wed, 20 Nov 2013 04:25:49 GMT https://community.splunk.com/t5/Splunk-Search/How-do-index-TAB-delimited-files/m-p/10929#M622 tirusplunk 2013-11-20T04:25:49Z https://community.splunk.com/t5/Splunk-Search/How-do-index-TAB-delimited-files/m-p/10930#M623 <P>Hi rafamss,</P> <P>I included above things in props.conf and transforms.conf. But in preview of my log file I am getting the output like this.</P> <P>Timestamp Event 1 11/19/13 6:46:50.000 PM "Time" "Temparature"</P> <P>2 11/12/13 4:23:52.051 PM "11/12/2013 16:23:52.051" "+50"</P> <P>3 11/12/13 4:23:53.051 PM "11/12/2013 16:23:53.051" "-40"</P> <P>4 11/12/13 4:23:54.051 PM "11/12/2013 16:23:54.051" "-60"</P> <P>5 11/12/13 4:23:55.051 PM "11/12/2013 16:23:55.051" "+50"</P> <P>6 11/12/13 4:23:55.051 PM</P> <P>I did follow by querying this like you said ..|stats dc(*) as *. But no use. Can you please help me in this regard?</P> <P>Thanks, Tiru</P> Wed, 20 Nov 2013 04:27:24 GMT https://community.splunk.com/t5/Splunk-Search/How-do-index-TAB-delimited-files/m-p/10930#M623 tirusplunk 2013-11-20T04:27:24Z https://community.splunk.com/t5/Splunk-Search/How-do-index-TAB-delimited-files/m-p/10931#M624 <P>Hi Tiru,</P> <P>Try this way: sourcetype[] | timechart count by temperature</P> <P>Verify if works!</P> <P>Thanks, Rafael</P> Fri, 22 Nov 2013 17:39:42 GMT https://community.splunk.com/t5/Splunk-Search/How-do-index-TAB-delimited-files/m-p/10931#M624 rafamss 2013-11-22T17:39:42Z https://community.splunk.com/t5/Splunk-Search/How-do-index-TAB-delimited-files/m-p/10932#M625 <P>perhaps you mean</P> <PRE><CODE>DELIMS=\t </CODE></PRE> Tue, 28 Jul 2015 12:04:01 GMT https://community.splunk.com/t5/Splunk-Search/How-do-index-TAB-delimited-files/m-p/10932#M625 landen99 2015-07-28T12:04:01Z