Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Tab separated events in log - how do I parse it into fields?

brent_weaver
Builder
‎02-13-2017 04:31 AM

I dont know why I cannot get this to work BUT, I have a log that is TSV and I want to carve out the fields. Beyond TSV the first field needs to be parsed as colon separated and my timestamp is the second part of that first field. How do I accomplish this? These are actually bro logs that do not parse correctly with he Spunk App for bro IDS. This app is for v2.4< and we are on 2.5. Any help is much appreciated!

Reply

jkat54
SplunkTrust
SplunkTrust
‎02-13-2017 08:09 AM

Here's one way, put this props on your forwarders & indexers.

[sourcetypeName]
INDEXED_EXTRACTIONS=TSV
FIELD_NAMES = _time, fielda, fieldb, fieldc
0 Karma
Reply

brent_weaver
Builder
‎02-13-2017 08:16 AM

Here is my props.conf:

splunk[/opt/splunk/etc/apps/bro/local] # cat props.conf
[bro]
INDEXED_EXTRACTIONS = TSV
FIELD_NAMES = field1, field2, field3, field4
splunk[/opt/splunk/etc/apps/bro/local] #

This did not work, I am sorry.

0 Karma
Reply

jkat54
SplunkTrust
SplunkTrust
‎02-13-2017 08:24 AM

I noticed this is in /opt/splunk... Do you have a distributed environment?

Can you explain the integration's architecture like below?

bro logs -> universal forwarder -> indexer -> search heads

or maybe

bro logs -> indexer & search head

etc.

0 Karma
Reply

jkat54
SplunkTrust
SplunkTrust
‎02-13-2017 07:32 AM

I find it hard to believe the bro logs dont parse correctly with the splunk app for bro IDS. Did you follow the installation instructions completely?

Do you have a distributed splunk install? If so, where did you put the props?

0 Karma
Reply

brent_weaver
Builder
‎02-13-2017 08:03 AM

I did follow the instructions, which clearly state that it is compatible with =

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎02-13-2017 06:11 AM

Some sample data would be helpful.

---
If this reply helps you, Karma would be appreciated.
Reply

brent_weaver
Builder
‎02-13-2017 08:05 AM

A sample data would be:

1/3/2016 11:05:05\tfield1\tfield2\tfield3

please note that I cannot put the tabs in there so I used the \t esc character. This is just a sample of data for testing purposes.
Thanks!

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

Hello Splunkers,  We’re excited to kick off a Splunk Dashboard contest! We know that dashboards are a primary ...

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...

Network to App: Observability Unlocked [May & June Series]

In today’s digital landscape, your environment is no longer confined to the data center. It spans complex ...