Solved: How do index TAB delimited files?

Alan_Bradley · ‎04-05-2010

I am looking to read into SPLUNK a tab delimited file. But most of what I see is key based Field Extractions (, space, etc.)

Is there an example of how this might be done with TAB?

gkanapathy · ‎04-05-2010

You should be able to make it work as with CSV files:

[mysourcetype]
DELIMS = "\t"
FIELDS = field1,f2,fieldthree

but specifying \t instead of , as the delimiter.

View solution in original post

rafamss · ‎08-08-2013

nosignal, i tested your sample and in my case perfect worked. Thank you!

rafamss · ‎11-22-2013

Hi Tiru,

Try this way: sourcetype[] | timechart count by temperature

Verify if works!

Thanks, Rafael

tirusplunk · ‎11-19-2013

Hi rafamss,

I included above things in props.conf and transforms.conf. But in preview of my log file I am getting the output like this.

Timestamp Event 1 11/19/13 6:46:50.000 PM "Time" "Temparature"

2 11/12/13 4:23:52.051 PM "11/12/2013 16:23:52.051" "+50"

3 11/12/13 4:23:53.051 PM "11/12/2013 16:23:53.051" "-40"

4 11/12/13 4:23:54.051 PM "11/12/2013 16:23:54.051" "-60"

5 11/12/13 4:23:55.051 PM "11/12/2013 16:23:55.051" "+50"

6 11/12/13 4:23:55.051 PM

I did follow by querying this like you said ..|stats dc(*) as *. But no use. Can you please help me in this regard?

Thanks, Tiru

nosignal · ‎10-29-2012

According to this, you configure this in transforms.conf BUT you also need a basic entry in props.conf that connects to the transform, e.g.:
include this in props.conf:

[My Source Type 1]
NO_BINARY_CHECK = 1
SHOULD_LINEMERGE = false
pulldown_type = 1
REPORT-myname = mydelim

And include this in transforms.conf:

[mydelim]
DELIMS = "\t"
FIELDS = "TimeStamp","Colour","First Name","Shape"

Both files should reside in
$SPLUNK_HOME/etc/system/local/

e.g. C:\Program Files\Splunk\etc\system\local

I have described this exact process in more detail here - including the surprisingly difficult task of seeing the new field names once you have extracted them!

tirusplunk · ‎11-19-2013

Hi nosignal,

I included above things in props.conf and transforms.conf. But in preview of my log file I am getting the output like this.

Timestamp Event
1 11/19/13 6:46:50.000 PM "Time" "Temparature"

2 11/12/13 4:23:52.051 PM "11/12/2013 16:23:52.051" "+50"

3 11/12/13 4:23:53.051 PM "11/12/2013 16:23:53.051" "-40"

4 11/12/13 4:23:54.051 PM "11/12/2013 16:23:54.051" "-60"

5 11/12/13 4:23:55.051 PM "11/12/2013 16:23:55.051" "+50"

6 11/12/13 4:23:55.051 PM

I did follow by querying this like you said ..|stats dc(*) as *. But no use. Can you please help me in this regard?

Thanks,
Tiru

gkanapathy · ‎04-05-2010

You should be able to make it work as with CSV files:

[mysourcetype]
DELIMS = "\t"
FIELDS = field1,f2,fieldthree

but specifying \t instead of , as the delimiter.

camaney · ‎10-20-2011

where can i configutre this?

landen99 · ‎07-28-2015

perhaps you mean

DELIMS=\t

How do index TAB delimited files?

Upcoming Webinar: Unmasking Insider Threats with Slunk Enterprise Security’s UEBA

.conf25 technical session recap of Observability for Gen AI: Monitoring LLM ...

A Season of Skills: New Splunk Courses to Light Up Your Learning Journey

Join the Conversation

How do index TAB delimited files?

Upcoming Webinar: Unmasking Insider Threats with Slunk Enterprise Security’s UEBA

.conf25 technical session recap of Observability for Gen AI: Monitoring LLM ...

A Season of Skills: New Splunk Courses to Light Up Your Learning Journey