Getting Data In
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Importing Text file with DAT extension separated b...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hneuman
Engager
06-04-2015
06:34 AM
Good Morning
First off i been using Splunk for a year but mostly importing Logs files from Firewalls and Windows Servers.
Now i been ask to import information from a VoIP platform it comes in text files with DAT extensions and are separated by |
I been trying to import the folder containing the files but i get a triangle error handling this .. i try importing this format as a CSV and other but i just cant get splunk to imported or even read it.
Here is a simple of the data inside the DAT file
0|5558013|20150103 234659|5558888|11||11001100||634|0|201|2061||PRDCWR7B00||10||1112068888||106
0|5557815|20150103 235656|5551634|1||11001000||201|14||||PRDCWR7B00|1123011634|10||||8
0|5554908|20150103 235000|5551349|7||11001100||551|2|611|0||CS2KTOHUAWEI|1123051349|10||||68
0|5556438|20150103 235249|5555224|39||11001000||551|18||||PRDCWRJF7B00|1123995224|10||||383
Am sure its my lack of experience with importing files in splunk
Can anyone point me in the right direction
Thanks
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
kristian_kolb
Ultra Champion
06-04-2015
07:07 AM
Just use a regular [monitor] in for inputting the files in the directory (i.e. in inputs.conf)
[monitor:///my/dir/*.dat]
sourcetype=my_dat
index=my_index
In props.conf, you might need to specify TIME_FORMAT
For the field extraction, use a REPORT in props.conf, and use FIELDS and DELIMS in transforms.conf
props.conf
[my_dat]
TIME_FORMAT = %Y%m%d %H%M%S
REPORT-dat = dat_pipes
transforms.conf
[dat-pipes]
DELIMS = "|"
FIELDS = field1, field2, field3 ... field20
You should probably read the Getting Data In section of the docs, and check out the documentation on REPORT field extractions.
EDIT: typo
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
kristian_kolb
Ultra Champion
06-04-2015
07:07 AM
Just use a regular [monitor] in for inputting the files in the directory (i.e. in inputs.conf)
[monitor:///my/dir/*.dat]
sourcetype=my_dat
index=my_index
In props.conf, you might need to specify TIME_FORMAT
For the field extraction, use a REPORT in props.conf, and use FIELDS and DELIMS in transforms.conf
props.conf
[my_dat]
TIME_FORMAT = %Y%m%d %H%M%S
REPORT-dat = dat_pipes
transforms.conf
[dat-pipes]
DELIMS = "|"
FIELDS = field1, field2, field3 ... field20
You should probably read the Getting Data In section of the docs, and check out the documentation on REPORT field extractions.
EDIT: typo
Get Updates on the Splunk Community!
Dashboards: Hiding charts while search is being executed and other uses for tokens
There are a couple of features of SimpleXML / Classic dashboards that can be used to enhance the user ...
Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...
This is the fourth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how ...
Brains, Bytes, and Boston: Learn from the Best at .conf25
When you think of Boston, you might picture colonial charm, world-class universities, or even the crack of a ...
