Hi, I'm newbie in splunk and would like to input text file as following format:
Rank Site First Seen Netblock Site Report Country
1 http://www.facebook.com May 1997 Facebook, Inc. Go US
2 http://www.google.com November 1998 Google Inc. Go US
3 https://www.facebook.com November 2007 Facebook, Inc. Go US
Could you advise steps by steps if there's any conf file to modify to support this type of data which it should be able to query and display each field correctly. Please note that some fields have space may be more than one i.e. Netblock (i.e. May 1977) and Site Report field (Facebook, Inc.)
I didn't have any control. Above is just an example which I try to start learning splunk to get the general data which is not the default log template which splunk already support. I would like to learn how to input them correctly to be able to retrieve them later more efficiently.
Regarding above example, it's CSV and I also would like to know if it's text file, is it easy to extract data from text file like this? If it's quite hard, please guide me as it's CSV format is fine for me. However, if it's text file and need to be add any delimiter to make it more easily, please show me example for conf to support it, that would be great.
Thank you very much
it's hard to tell from your example, but this looks like a CSV? If so the multikv command will extract those fields out based on the first row. (doc'ed here: http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Multikv)
You could create permanent (not just based on the multikv command) field extractions for this as well.