Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to parse out asterisk delimited format?

skirven
Communicator
‎04-13-2022 05:31 AM

Hi! I'm having a struggle trying to get Splunk to recognize a file that's in Asterisk Delimited Format. I have the props.conf set like this below, running on a Splunk 7.3.8 HF, sending the cooked data to a 8.1.72 Search Peer. Nothing I've tried will get the data to parse correctly. Everything I'm reading, this should work. I've opened a support case, but I'm going around in circles with them, so if anyone has any thought here, I would appreciate it!

 

 

 

[ sourcetype ]
SHOULD_LINEMERGE=true
LINE_BREAKER=([\r\n]+)
NO_BINARY_CHECK=true
CHARSET=UTF-8
disabled=false
FIELD_DELIMITER=*
FIELD_NAMES=timestamp,.....
TRUNCATE=50000

 

 

 

Thanks,
Stephen 

Labels (2)
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎04-13-2022 05:57 AM

Hi @skirven,

as you can read at https://docs.splunk.com/Documentation/Splunk/8.2.6/admin/Propsconf to use the FIELD_DELIMITER, you have to set the INDEXED_EXTRACTIONS parameter, which kind of file are you using? a CSV?

Ciao.

Giuseppe

0 Karma
Reply

skirven
Communicator
‎04-13-2022 06:08 AM

Thanks. I did see that, and had tried that. The file is a log file, but in Asterisk Delimited Format. I'll test with INDEXED_EXTRACTIONS=CSV and the FIELD_DELIMITER=* and see what happens.

Thanks.
Stephen

0 Karma
Reply

skirven
Communicator
‎04-13-2022 08:36 AM

That didn't work either. 😞

[ sourcetype ]
SHOULD_LINEMERGE=true
LINE_BREAKER=([\r\n]+)
NO_BINARY_CHECK=true
CHARSET=UTF-8
disabled=false
FIELD_DELIMITER=*
FIELD_NAMES=timestamp,.....
TRUNCATE=50000
INDEXED_EXTRACTIONS=CSV
0 Karma
Reply
Get Updates on the Splunk Community!

Data Management Digest – November 2025

  Welcome to the inaugural edition of Data Management Digest! As your trusted partner in data innovation, the ...

Splunk Mobile: Your Brand-New Home Screen

Meet Your New Mobile Hub  Hello Splunk Community!  Staying connected to your data—no matter where you are—is ...

Introducing Value Insights (Beta): Understand the Business Impact your organization ...

Real progress on your strategic priorities starts with knowing the business outcomes your teams are delivering ...