Getting Data In

Troubles with creating a new source type

osherma
Explorer

Hi there,

I've been trying to create a new source type, but unfortunately - with no success.

My data is uploaded from a CSV file (hold your horses, there's a small catch).
I put all of the relevant files in a folder (I use Windows) named "C:\Users\USERNAME\Desktop\USERNAME...\packetLog" - I wish that Splunk will continually index new files in this folder.

Each line in the CSV files looks like this (each field is separated by a semicolon):

1375781456.56672;2013-08-06 12:30:56.056672;1;1;1;1;0x0;1514;1500;1480;0xc5f7;0x4000;58;6;TCP;0x4848;0x5250fa16;82.80.250.22;
0xd4b30bc2;212.179.11.194;80;34212;0xa20f32aa;0x82f09e0a;0;0;0;0;1;0;0;0;54;0x9b4d0000;-1;-1;
0x0;-1;0x0;0;0;0;0;0

After reviewing some online documentations and examples, I created a new sourcetype in C:\Program Files\Splunk\etc\system\local\props.conf:

[source::...\packetLog...]

sourcetype = Analyzer_packets

FIELD_DELIMITER = ";"

FIELD_NAMES = "TIMESTAMP","TIMESTAMP_Friendly","PacketId","FlowId","pcap_ID",...(and so on for the other field names).

As you can probably see, creating fields with Regex in this case is extremely difficult, since more than one value has the same (or very similar) pattern.

Your help will be greatly appreciated. If there's a need for additional info just say so.
Thanks!

0 Karma
1 Solution

rafamss
Contributor

Hi oshema,

Try this:

Instead FIELD_DELIMITER = ";" use DELIMS = ";"
Instead FIELD_NAMES use FIELDS = "field1","field2","field3"

Stop e Start Splunk.

View solution in original post

0 Karma

rafamss
Contributor

Hi oshema,

Try this:

Instead FIELD_DELIMITER = ";" use DELIMS = ";"
Instead FIELD_NAMES use FIELDS = "field1","field2","field3"

Stop e Start Splunk.

0 Karma

osherma
Explorer

I did restart Splunk, but it didn't change anything.

0 Karma

somesoni2
SplunkTrust
SplunkTrust

A restart is required if you make any changes to .conf file directly. Hope you are doing that.

0 Karma

osherma
Explorer

(For some reason I can't edit my question, so here's some more info:)

the fields extraction does not work at all: Splunk doesn't recognize the files from the specific folder as a different sourcetype, and even worse - it doesn't extract the fields even when I apply the source type manually.
First I had tried to change props.conf file with a text editor (but it didn't appear on the sources list in Splunk UI) and then I created the new sourcetype through the UI itself.

The name of the folder is C:\Users\USERNAME\Desktop\USERNAME...packetLog\"

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...