Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Hunk - specify delimiter when using SplunkLineRecordReader

conwaygene
Engager
‎05-07-2015 08:34 AM

How does one specify the delimiter when using SplunkLineRecordReader? Trying to read in a csv file with a header and delimited by '|'. Currently, Splunk is reading in the line as one field.

Thanks.

Tags (3)
0 Karma
Reply

Ledion_Bitincka
Splunk Employee
Splunk Employee
‎05-07-2015 11:03 AM

Given that | is not part of commonly used CSV formats out there you'd have to use Hunk's delimiter based KV extraction by using props/transforms.conf

$SPLUNK_HOME/etc/apps/search/local/props.conf
[my-sourcetype]
REPORT-delim = pipe-extractor

$SPLUNK_HOME/etc/apps/search/local/transforms.conf
[pipe-extractor]
FIELDS = field1,field2, ....
DELIMS = |

You can read a blog post about the technique here

Reply

conwaygene
Engager
‎05-07-2015 11:17 AM

Now working. You rock!

0 Karma
Reply
Get Updates on the Splunk Community!

The Great Resilience Quest: 10th Leaderboard Update

The tenth leaderboard update (11.23-12.05) for The Great Resilience Quest is out >> As our brave ...

Customer Experience | Call for Stories: Your 2023 Journey with Splunk!

Share your Splunk journey: Splunk is committed to supporting our customers toward success. As the year draws ...

Infographic provides the TL;DR for the 2023 Splunk Career Impact Report

We’ve been shouting it from the rooftops! The findings from the 2023 Splunk Career Impact Report showing that ...