Dashboards & Visualizations

How to input text file?

prakarn_c
Engager

Hi, I'm newbie in splunk and would like to input text file as following format:

Rank Site First Seen Netblock Site Report Country
1 http://www.facebook.com May 1997 Facebook, Inc. Go US
2 http://www.google.com November 1998 Google Inc. Go US
3 https://www.facebook.com November 2007 Facebook, Inc. Go US

Could you advise steps by steps if there's any conf file to modify to support this type of data which it should be able to query and display each field correctly. Please note that some fields have space may be more than one i.e. Netblock (i.e. May 1977) and Site Report field (Facebook, Inc.)

Tags (1)
0 Karma

prakarn_c
Engager

I didn't have any control. Above is just an example which I try to start learning splunk to get the general data which is not the default log template which splunk already support. I would like to learn how to input them correctly to be able to retrieve them later more efficiently.

Regarding above example, it's CSV and I also would like to know if it's text file, is it easy to extract data from text file like this? If it's quite hard, please guide me as it's CSV format is fine for me. However, if it's text file and need to be add any delimiter to make it more easily, please show me example for conf to support it, that would be great.

Thank you very much

0 Karma

DrewO
Splunk Employee
Splunk Employee

it's hard to tell from your example, but this looks like a CSV? If so the multikv command will extract those fields out based on the first row. (doc'ed here: http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Multikv)

You could create permanent (not just based on the multikv command) field extractions for this as well.

doc'ed here:

http://docs.splunk.com/Documentation/Splunk/4.3.2/Knowledge/Addfieldsatsearchtime
http://docs.splunk.com/Documentation/Splunk/4.3.2/Knowledge/Createandmaintainsearch-timefieldextract...

Damien_Dallimor
Ultra Champion

Do you have any control over the formatting of the lines ? Or is that example your only format option ?

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...