Splunk does not detect pipe separated headers

awagner · ‎10-25-2013

Hi All,

I am trying to load files with headers. The files are simple pipe-separated files. I use the following in props.conf:

FIELD_DELIMITER="|"

In this case, the file is indexed, but the fields are not shown.

If I omit the ", like this:

FIELD_DELIMITER=|

the file is not indexed at all.

If I change all pipes to commas in the input file, and use

FIELD_DELIMITER=,

the file gets indexed, and the fields are all there.

Is there a way to get Splunk load pipe separated files? I don't want to define the fields in transform, because they keep changing from file to file.

Thanks,
Ambrus

yannK · ‎10-25-2013

Take a look at the new header field extraction since version 6.*.

try an escape character before
FIELD_DELIMITER = \|

awagner · ‎10-25-2013

I tried the backslash | version, still nothing.

awagner · ‎10-25-2013

I also tried INDEXED_EXTRACTIONS = PSV, but no change.

awagner · ‎10-25-2013

Now I have this in props.conf:

FIELD_DELIMITER = "|"
HEADER_FIELD_DELIMITER = "|"
NO_BINARY_CHECK = 1
SHOULD_LINEMERGE = false
pulldown_type = 1

Still no luck. The file is indexed, but the fields are not there.

Are you a member of the Splunk Community?