How do I load the custom delimited file with heade...

khreddy · ‎03-15-2018

I have a delimited header file of the below format:

A ~~ B ~~ C ~~ D ~~ E
1 ~~ 2 ~~ 3 ~~ 4 ~~ 5
2 ~~ 3 ~~ 4 ~~ 5 ~~ 6
1 ~~ 3 ~~ 2 ~~ 3 ~~ 4

The above has 3 events and five fields A,B,C,D,E

I tried HEADER_FIELD_LINE_NUMBER = 1 in props.conf
DELIMS = "~~" in transforms.conf
This did not do the trick.

what am I missing here?

maciep · ‎03-15-2018

I think you're sort of mixing solutions here. If you haven't already, please read up on the phases of data in Splunk.

If you want to do this during the input phase (on your forwarder), then you probably want to play with these settings in your props.conf on the forwarder. For example, something like this maybe (didn't verify)

[your sourcetype]
HEADER_FIELD_LINE_NUMBER = 1
HEADER_FIELD_DELIMITER = ~~
FIELD_DELIMITER = ~~

Or if you want to do it during search time, you can use props/transforms on your search head. You can probably find a lot of examples like this out here and it's documented in the spec files as well. Something like this maybe (didn't verify).

props.conf

[your sourcetype]
REPORT-my_fields = tilde_fields

transforms.conf

[tilde_fields]
DELIMS = ~~
FIELDS = A,B,C,D,E

adonio · ‎03-15-2018

hello there,

looks like there is a space " " there as well, correct?
check out this answer:
https://answers.splunk.com/answers/170826/set-delimiter.html

hope it helps

How do I load the custom delimited file with header into splunk

What’s New in Splunk Enterprise 9.4: Tools for Digital Resilience

Get Schooled with Splunk Education: Explore Our Latest Courses

Splunk AI Assistant for SPL | Key Use Cases to Unlock the Power of SPL