Re: splunk delimeter setup

splunk_gs · ‎06-18-2012

i have a txt file that is seperated by semicolons ";" that i am sending via TCP. How do i set it up to where i can assign each seperation with a field? i tried doing it through the web manager but it wouldnt extract the fields.

This wouldn't work:
props.conf:
[xxx_fields]
DELIMS=";"
FIELDS = "x1", "x2", "x3", "x4", "x5", "x6", "x7", "x8", "x9"

Example would be:
Header
x1;x2;x3;x4;x5;x6;x7;x8;x9

Raw Fields
x;x;x;x;x;x;x;x;x

Basically i just want to be able to search by the header fields...please help

Ayn · ‎06-18-2012

The DELIMS/FIELDS settings should go in transforms.conf, not props.conf. In props.conf you put a stanza that defines which data this should apply to, for instance by specifying a sourcetype, source or similar, and also a REPORT directive that refers to the transform containing the DELIMS/FIELDS settings.

EDIT: An example:

Let's say the logs you want to apply this to have sourcetype "my_sourcetype". In props.conf, you would put:

[my_sourcetype]
REPORT-getfields = mysourcetype_fields

In transforms.conf, put:

[mysourcetype_fields]
DELIMS=";"
FIELDS = "x1", "x2", "x3", "x4", "x5", "x6", "x7", "x8", "x9"

Fields should now be extracted for events with the sourcetype "my_sourcetype".

Ayn · ‎06-18-2012

Updated my answer with an example.

splunk_gs · ‎06-18-2012

can you give me an example please?

splunk delimeter setup

Uncovering Multi-Account Fraud with Splunk Banking Analytics

Secure Your Future: A Deep Dive into the Compliance and Security Enhancements for the ...

New This Month in Splunk Observability Cloud - Synthetic Monitoring updates, UI ...