Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

How to create a source type of file positional

rafamss
Contributor
‎12-12-2013 08:17 AM

Hi guys,

I have a file that contains blocks of data that are positionals, they have the size of fields Folloowing sample:

For the first field, the position could be the first byte with size of 3 positions and each fields following have a rule specific.

0083410001049703K ARQB4_B8E4_07 000000TESTENT 2513145609235200000000000000 CP000000000000WW

How to create a source type for this ?

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

lguinn2
Legend
‎12-12-2013 08:51 AM

When you tell Splunk to index the file, in inputs.conf (or in the GUI), give it a sourcetype name. Just choose a name that doesn't already exist and you will be fine ...

inputs.conf 

[monitor:///path/to/mylogfile.log]
sourcetype = myNewSourcetype

Now you have a new sourcetype. To define the fields, you can use props.conf (and transforms.conf) quite easily.
For example, if the first field is 6 digits and the second field is 4 digits, you could do this

props.conf 

[myNewSourcetype]
EXTRACT-mns1 = (?<Field1>\d{6})(?<Field2>\d{4})

You do need to know regular expressions, and you should probably also read

The docs Create and maintain field extractions...

This answer define custom fixed fields

View solution in original post

Reply
Solved! Jump to solution
Solution

lguinn2
Legend
‎12-12-2013 08:51 AM

When you tell Splunk to index the file, in inputs.conf (or in the GUI), give it a sourcetype name. Just choose a name that doesn't already exist and you will be fine ...

inputs.conf 

[monitor:///path/to/mylogfile.log]
sourcetype = myNewSourcetype

Now you have a new sourcetype. To define the fields, you can use props.conf (and transforms.conf) quite easily.
For example, if the first field is 6 digits and the second field is 4 digits, you could do this

props.conf 

[myNewSourcetype]
EXTRACT-mns1 = (?<Field1>\d{6})(?<Field2>\d{4})

You do need to know regular expressions, and you should probably also read

The docs Create and maintain field extractions...

This answer define custom fixed fields

Reply
Solved! Jump to solution

rafamss
Contributor
‎12-12-2013 11:38 AM

Hi Iguinn,

The problem was in the file. 😞

Thanks for your help.

0 Karma
Reply
Solved! Jump to solution

rafamss
Contributor
‎12-12-2013 10:17 AM

Hi lguinn,

I have one problem, in my file has blank spaces and special characters. When I put the regex for extract the information that i need, it's not understanding this.

Do you know the which I need to do ? I tried use \D \d or just the dot for get the information, without success.

PS. I looked in the links above.

Thanks.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...