Splunk Search

help me to understand regex and delimiter

mkhedr
Explorer

i can't understand when to use regex and when to use delimiter
-Regex
Use this option when your event contains unstructured data like a system log file
-Delimiter
Use this option when your event contains structured data like a .csv file

0 Karma
1 Solution

Azeemering
Builder

The delimiters method is designed for structured event data: data from files with headers, where all of the fields in the events are separated by a common delimiter, such as a comma or space. You select a sample event, identify the delimiter, and then rename the fields that the field extractor finds. data that resides in a file that has headers and fields separated by specific characters.

Here it is explained in detail:
https://docs.splunk.com/Documentation/Splunk/7.3.0/Knowledge/ExtractfieldsinteractivelywithIFX

View solution in original post

0 Karma

Azeemering
Builder

The delimiters method is designed for structured event data: data from files with headers, where all of the fields in the events are separated by a common delimiter, such as a comma or space. You select a sample event, identify the delimiter, and then rename the fields that the field extractor finds. data that resides in a file that has headers and fields separated by specific characters.

Here it is explained in detail:
https://docs.splunk.com/Documentation/Splunk/7.3.0/Knowledge/ExtractfieldsinteractivelywithIFX

0 Karma

richgalloway
SplunkTrust
SplunkTrust

What document are you citing?

---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...