Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

pipe separated instead of csv

chetanvartak
New Member
‎03-08-2013 11:19 AM

I was wondering if it is possible to build a regex for a pipe separated file… Where the Header row carries the name of the field. Example –

EmployeeID|FirstName|LastName|MiddleName|GivenName|EmployeeStatus|EmployeeType|Action|EffectiveDate|Hire_Date|TerminationDate|RehireDate|CO_ID|Paygroup|DISTRICT|OpsDistrict|Store|JobCode|Title|Department|Country|HiringManager_Emp_ID|Supervisor_Emp_ID|StoreMenuLevel|UserRegion|UserDistrict|EmployeeClass|HomeDeptName|ManagerLevelCode|LastModifiedDate||ExpBatchDate
013216|Corey|Forey|M||A|F|PAY|2012-07-01|1999-04-03|1900-01-01|1900-01-01|GCS|GC1|033|033|339|1071|Operations Manager|575000|NULL|32342|32342|9|2|033|OPS|Ops Managers|3|2012-07-17|2013-03-08
013243|Jose|Fose|M||A|F|PAY|2012-07-01|1999-04-05|1900-01-01|1900-01-01|GCS|GC1|015|015|226|1983|Sales Associate|415000|NULL|51184|51184|6|1|015|SLS|Asst Manager|6|2013-03-01|2013-03-08

It of course works fine if I convert the file to a csv file. So basically I want to use the csv source type but use “|” instead of comma…

Tags (1)
0 Karma
Reply

alacercogitatus
SplunkTrust
SplunkTrust
‎03-08-2013 11:37 AM

You could use a props/transform if you reuse the same file for output.

In props.conf:

[your_sourcetype]
REPORT-pullpipes = st-pull-pipe

In transforms.conf:

[st-pull-pipe]
DELIMS = "|"
FIELDS = "EmployeeID", "FirstName", "LastName", "MiddleName", etc.....

0 Karma
Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...