Re: Does Splunk allow you to validate structure of...

mahbs · ‎11-21-2017

Hi,

I need to be able to validate the format of a file. This entails checking if a date column is actually a date column and if the format of the date value is in the correct format.
I'm not concerned with the content of the data, i.e. im not validating the content, rather I'm more focused on the structure of the data.

Does splunk allow this? And if so how would I go about achieving this?

Thanks

afamoyib · ‎11-22-2017

No splunk does not do this. However you can write a script outside splunk and use that script to validate the file meets the format you want before moving it to a folder splunk is ingesting. This is the work around i used to get around files with weird or unreadable formats to splunk

mahbs · ‎11-22-2017

Could you recommend me the best platform to do this?

lycollicott · ‎11-21-2017

Splunk recognizes lots of file formats (https://docs.splunk.com/Documentation/Splunk/7.0.0/Data/Listofpretrainedsourcetypes)

If your file is something unique to your business then I suggest that you make sure that whatever process which creates it does so correctly.

mahbs · ‎11-22-2017

Hi,

I'm focused mainly on writing queries that basically validates whether a file is in the correct format and then outputting those files that fail validation. I'm not focused on the content, rather the structure - Does Splunk enable this?

lycollicott · ‎11-23-2017

No, it does not. You would have to do that externally.

Does Splunk allow you to validate structure of a file?

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?