Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

how to indentify \| character in SPLUNK

abhayneilam
Contributor
‎10-25-2012 12:47 AM

Hi,

I have a file which contains few fields which are '|' separated, Now I have certain values in file which looks like '|' ( without any space ). example as follows:

d:\this_directory|Y|DATA

above statement is having three fields with '|' separated, but when this type of data is being imported to SPLUNK , I am getting only two fields because , it is assuming d:\this_directory|Y as a single field and 'DATA' as a second field. I have to replace | to \ | everytime before importing the data which is very painful for the big size files.

Is there any way in SPLUNK to handle this type of error !!

Please help !!

Thanks!!

Tags (4)
0 Karma
Reply

Ayn
Legend
‎10-25-2012 01:06 AM

This is no error. From what I gather in your question you haven't told Splunk how to extract field values from this log, so it's using some very generic fallback rules to try to make some sense out of it. So you need to tell Splunk how you want your fields extracted.

Setup a delims based field extraction in props.conf / transforms.conf. Something like this.

props.conf:

[yoursourcetype]
REPORT-pipedelimitedfields = pipedelimitedfields

transforms.conf:

[pipedelimitedfields]
DELIMS = "|"
FIELDS = "field1", "field2", "field3"
Reply

abhayneilam
Contributor
‎10-25-2012 03:05 AM

I have written the same lines in the configuration files but stil the same problem is there ... '|' should be a separater ,but anywhere it is getting | is not considering | as a separator.

Please help

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Enterprise Security(ES) 7.3 is approaching the end of support. Get ready for ...

Hi friends!    At Splunk, your product success is our top priority. With Enterprise Security (ES), we're here ...

Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...

Watch On Demand the Tech Talk, and empower your SOC to reach new heights! Duration: 1 hour  Prepare to ...

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...