What is the syntax to configure DELIMS= in transfo...

hagjos43 · ‎04-29-2015

I'm ingesting a custom sourcetype (output from a powershell script). Within the transforms.conf, how do I set the DELIMS=linebreak? I see that it can be done, but I cannot find the syntax to do so. Essentially I'm asking what is the value I need to place after the DELIMS= to accomplish this?

Many thanks!

alanden_splunk · ‎06-01-2017

I know this is an old question, but the audience should be asking whether the purpose is to extract fields with a transforms DELIMS configuration, or to separate each line to a separate event as the LINE_BREAKER =([ \r\n ]+) setting in the answer below suggests.

stephane_cyrill · ‎04-29-2015

Hi here is an example of usage:

props.conf:

[your_data_sourcetype ]
SHOULD_LINEMERGE = false
LINE_BREAKER =([ \r\n ]+)
REPORT - delims= commalist

transforms.conf:

[commalist ]
DELIMS = ","
FIELDS = field1 , field2 , field3 ,
...

you can also use in your props.conf options like:

LINE_BREAKER =..... 
SHOULD_LINEMERGE = false 
BREAK_ONLY_BEFORE = .....
MUST_BREAK_AFTER = .....
FIELD_DELIMITER =...

alanden_splunk · ‎06-01-2017

this separates lines into events, which may not be what is being asked, since DELIMS is used to do field extractions in transforms.conf.

What is the syntax to configure DELIMS= in transforms.conf for line breaking?

Developer Spotlight with Brett Adams

Index This | What can you do to make 55,555 equal 500?

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...