- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am looking to read into SPLUNK a tab delimited file. But most of what I see is key based Field Extractions (, space, etc.)
Is there an example of how this might be done with TAB?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You should be able to make it work as with CSV files:
[mysourcetype]
DELIMS = "\t"
FIELDS = field1,f2,fieldthree
but specifying \t instead of , as the delimiter.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
nosignal, i tested your sample and in my case perfect worked. Thank you!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Tiru,
Try this way: sourcetype[] | timechart count by temperature
Verify if works!
Thanks, Rafael
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi rafamss,
I included above things in props.conf and transforms.conf. But in preview of my log file I am getting the output like this.
Timestamp Event 1 11/19/13 6:46:50.000 PM "Time" "Temparature"
2 11/12/13 4:23:52.051 PM "11/12/2013 16:23:52.051" "+50"
3 11/12/13 4:23:53.051 PM "11/12/2013 16:23:53.051" "-40"
4 11/12/13 4:23:54.051 PM "11/12/2013 16:23:54.051" "-60"
5 11/12/13 4:23:55.051 PM "11/12/2013 16:23:55.051" "+50"
6 11/12/13 4:23:55.051 PM
I did follow by querying this like you said ..|stats dc(*) as *. But no use. Can you please help me in this regard?
Thanks, Tiru
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
According to this, you configure this in transforms.conf BUT you also need a basic entry in props.conf that connects to the transform, e.g.:
include this in props.conf:
[My Source Type 1]
NO_BINARY_CHECK = 1
SHOULD_LINEMERGE = false
pulldown_type = 1
REPORT-myname = mydelim
And include this in transforms.conf:
[mydelim]
DELIMS = "\t"
FIELDS = "TimeStamp","Colour","First Name","Shape"
Both files should reside in
$SPLUNK_HOME/etc/system/local/
e.g. C:\Program Files\Splunk\etc\system\local
I have described this exact process in more detail here - including the surprisingly difficult task of seeing the new field names once you have extracted them!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi nosignal,
I included above things in props.conf and transforms.conf. But in preview of my log file I am getting the output like this.
Timestamp Event
1 11/19/13 6:46:50.000 PM "Time" "Temparature"
2 11/12/13 4:23:52.051 PM "11/12/2013 16:23:52.051" "+50"
3 11/12/13 4:23:53.051 PM "11/12/2013 16:23:53.051" "-40"
4 11/12/13 4:23:54.051 PM "11/12/2013 16:23:54.051" "-60"
5 11/12/13 4:23:55.051 PM "11/12/2013 16:23:55.051" "+50"
6 11/12/13 4:23:55.051 PM
I did follow by querying this like you said ..|stats dc(*) as *. But no use. Can you please help me in this regard?
Thanks,
Tiru
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You should be able to make it work as with CSV files:
[mysourcetype]
DELIMS = "\t"
FIELDS = field1,f2,fieldthree
but specifying \t instead of , as the delimiter.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
where can i configutre this?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
perhaps you mean
DELIMS=\t
