Knowledge Management
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How can we auto extracted fields from TAB delimited text file with header at index time?

abhisplunk1
Explorer
‎06-14-2023 05:10 AM

Hi here is sample format

 

Audit Log ID KMA ID KMA Name Class Retention Term Operation Condition Severity Audit Log Entry ID Created Date Entity ID Entity Network Address Message Values Solution
B7086B1B57C6714E00000000009D00B1 B7086B1B57C6714E CA4SICLKMA1 Audit Log Management Operations Short Term List Audit Logs Success Success 000109000000 2023-06-05 09:35:11 AKH25wj 30.XXX.XXX.XX No recommended action
B7086B1B57C6714E00000000009D00AF B7086B1B57C6714E CA4SICLKMA1 Audit Log Management Operations Short Term List Audit Logs Success Success 000109000000 2023-06-05 09:35:06 AKH25wj 30.XXX.XXX.XX No recommended action
B7086B1B57C6714E00000000009D00AA B7086B1B57C6714E CA4SICLKMA1 Audit Log Management Operations Short Term List Audit Logs Success Success 000109000000 2023-06-05 09:34:17 AKH25wj 30.XXX.XXX.XX No recommended action

Labels (1)
Labels
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎06-14-2023 09:45 AM

A tab-delimited file is just a CSV that uses tabs instead of commas.  Try these props:

[mysourcetype]
INDEXED_EXTRACTIONS = TSV
DATETIME_CONFIG = current

 

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

abhisplunk1
Explorer
‎06-23-2023 11:16 AM

Logs are coming from UF, so I have tried INDEXED_EXTRACTION=TSV on indexer which did not work for me, then on search head used following example pattern, which did not work either. So I had to create new field extraction using the UI and there select the tab as delimiter and then rename the fields. 

[mysourcetype]
DELIMS = "\t"
FIELDS = field1,f2,fieldthree

 

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎06-23-2023 11:32 AM

Note that the correct setting name is INDEXED_EXTRACTIONS.

Putting index-time extractions on a search head will not help because extractions are done by indexers and heavy forwarders.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎06-24-2023 11:55 AM

Actually, while "normal" extractions are done on indexers/HFs, indexed extractions are done right on the inputting component even if it's a UF so you need to define INDEXED_EXTRACTIONS on your UF in that case.

Having said that, there is a possibility to use KV_MODE=multi to extract fields from delimited events in search-time.

Reply
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

(view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...