Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Extract data from text file without Headers

shilpi
New Member
‎11-19-2013 02:48 PM

I have a text with values separated by spaces.This file does not have any headers. I need to add headers to this file and use this file in splunk. I can not manually do that as I will be getting a similar file every 15 minutes daily. Is there any way to do it using field extraction or something else in splunk?

Tags (2)
0 Karma
Reply

lukejadamec
Super Champion
‎11-19-2013 03:33 PM

The inputs.conf file needs to be on the forwarder that is monitoring the log directory. The props.conf and transforms.conf should be in the splunk\etc\system\local\ directory of the indexer. If those files don’t exist, then create them – make sure they have a .conf extension and not a .conf.txt extension.
You may need to further refine the configs, but if so you’ll need to provide more information.

inputs.conf

[monitor://blankpathtofiledirectory]
disabled = false
index = default
sourcetype = yourblanksourcetype

props.conf

[yourblanksourcetype]
SHOULD_LINEMERGE = false
TIME_FORMAT = blank
MAX_TIMESTAMP_LOOKAHEAD = blank
REPORT-spaced = spacedfields

transforms.conf

[spacedfields]
DELIMS = “ “
FIELDS =  list of comma separated fields
Reply

lukejadamec
Super Champion
‎11-20-2013 07:59 AM

So the person asking the question knows where information is missing.

0 Karma
Reply

kristian_kolb
Ultra Champion
‎11-20-2013 02:04 AM

why the explicit use of 'blank'?

/K

0 Karma
Reply

lukejadamec
Super Champion
‎11-19-2013 03:15 PM

Can you post the header, or some obfuscated reference header that you'll understand when we stick it in a configuration example?

0 Karma
Reply

shilpi
New Member
‎11-19-2013 03:12 PM

Yeah header will always be the same

0 Karma
Reply

shilpi
New Member
‎11-19-2013 03:11 PM

Also, please let me know if this can be done from splunk forwarders or do we need to go to splunk searchhead.Please let me know in case I need to do any changes from splunk UI as well

0 Karma
Reply

lukejadamec
Super Champion
‎11-19-2013 02:55 PM

Space separated files are easy to index if the files all have the same field composition.
If you could put a header in every file, would it always be the same header? If so, post it.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Index This | What travels the world but is also stuck in place?

April 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Realizing the full potential of your Splunk investment requires more than just understanding current usage; it ...

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

As data volumes continue to grow and environments become more distributed, managing and optimizing data ...