How can I change splunk default parser and use my ...

MarcHelou · ‎06-14-2017

let's say i have a file that I would like to input it to splunk.
but I want to have a better parser, a smarter one. how can I change the way splunk handles the incoming streams, not just taking each line by its own but applying my own code on how to arrange streams of data.

woodcock · ‎06-14-2017

File a P1 Enhancement Request (there already is one for this).

MarcHelou · ‎06-15-2017

can you be more specific please?
Do you mean the support programs?
in other ways what I am trying to look for is a way to change the parser in splunk, so splitting income data happens in a different way than what splunk offers

davebrooking · ‎06-15-2017

Can you provide some examples of how the data may appear in the original file, and how that data should then be indexed by Splunk?

micahkemp · ‎06-14-2017

Have you looked into Modular Inputs?

MarcHelou · ‎06-15-2017

Yes but I want to try and change how splunk arranges tuples from incoming streams and not only post each line as an event, for anonymity purposes. I want to specify how it cuts the incoming data into event and how to index them depending on several factors

How can I change splunk default parser and use my own way of re-arranging data?

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!