Splunk Search

Does Splunk have a way to ingest this kind of format?

ejmin
Path Finder

Hi does anyone know how to ingest this in splunk basically this format is not a csv type but a special one.
The ff. below are the actual format of my data.

"Brand,X"
"Store,0000"
"Date,03/29/2019"
"Amount,1234"
"Type,P"

Is there a way to transpose this in splunk like the function of an excel file.

0 Karma
1 Solution

gcusello
SplunkTrust
SplunkTrust

Hi ejmin,
let me understand: do you have these information in one file, but in the same file have more groups like this or only one?
then the sequence of information is always the same?

If the sequence is always the same and you have more groups in the same file, you could use a props.conf like this:

[my_sourcetype]
TIME_PREFIX = \"Date,
TIME_FORMAT = %m/%d%Y
BREAK_ONLY_BEFORE = \"Brand,

Bye.

Giuseppe

View solution in original post

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi ejmin,
let me understand: do you have these information in one file, but in the same file have more groups like this or only one?
then the sequence of information is always the same?

If the sequence is always the same and you have more groups in the same file, you could use a props.conf like this:

[my_sourcetype]
TIME_PREFIX = \"Date,
TIME_FORMAT = %m/%d%Y
BREAK_ONLY_BEFORE = \"Brand,

Bye.

Giuseppe

0 Karma

ejmin
Path Finder

Yes you can say, that it is static but my actual problem is how those BRAND DATE become a column and the X and 06/01/2019 become a values because currently the ingestion only consist of Event and Time

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi ejmin,
if you have an event, you can extract the fields using the field extractor or a regex.
In the following example I use rex command, but you can use these regexes to extract fields.

index=my_index
| rex "\"Brand,(?<Brand>[^\"]+)\"\s+\"Store,(?<Store>[^\"]+)\"\s+\"Date,(?<Date>[^\"]+)\"\s+\"Amount,(?<Amount>[^\"]+)\"\s\"Type,(?<Type>[^\"]+)\""
| table Brand Store Date Amount Type

You can test it at https://regex101.com/r/BhIxvQ/1 .

Bye.
Giuseppe

0 Karma

ejmin
Path Finder

Ohh I get it thanks. That thing works

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...