How do I load the custom delimited file with heade...

khreddy · ‎03-15-2018

I have a delimited header file of the below format:

A ~~ B ~~ C ~~ D ~~ E
1 ~~ 2 ~~ 3 ~~ 4 ~~ 5
2 ~~ 3 ~~ 4 ~~ 5 ~~ 6
1 ~~ 3 ~~ 2 ~~ 3 ~~ 4

The above has 3 events and five fields A,B,C,D,E

I tried HEADER_FIELD_LINE_NUMBER = 1 in props.conf
DELIMS = "~~" in transforms.conf
This did not do the trick.

what am I missing here?

maciep · ‎03-15-2018

I think you're sort of mixing solutions here. If you haven't already, please read up on the phases of data in Splunk.

If you want to do this during the input phase (on your forwarder), then you probably want to play with these settings in your props.conf on the forwarder. For example, something like this maybe (didn't verify)

[your sourcetype]
HEADER_FIELD_LINE_NUMBER = 1
HEADER_FIELD_DELIMITER = ~~
FIELD_DELIMITER = ~~

Or if you want to do it during search time, you can use props/transforms on your search head. You can probably find a lot of examples like this out here and it's documented in the spec files as well. Something like this maybe (didn't verify).

props.conf

[your sourcetype]
REPORT-my_fields = tilde_fields

transforms.conf

[tilde_fields]
DELIMS = ~~
FIELDS = A,B,C,D,E

adonio · ‎03-15-2018

hello there,

looks like there is a space " " there as well, correct?
check out this answer:
https://answers.splunk.com/answers/170826/set-delimiter.html

hope it helps

How do I load the custom delimited file with header into splunk

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Painting a Clearer Picture: Creating Cross-Domain Visibility with AI Canvas

Analytics Workspace deprecation

Splunk Developer Day Recap: Building, Publishing, and Growing on the Splunk Platform

Join the Conversation