Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to input text file?

prakarn_c
Engager
‎06-07-2012 04:05 AM

Hi, I'm newbie in splunk and would like to input text file as following format:

Rank Site First Seen Netblock Site Report Country
1 http://www.facebook.com May 1997 Facebook, Inc. Go US
2 http://www.google.com November 1998 Google Inc. Go US
3 https://www.facebook.com November 2007 Facebook, Inc. Go US

Could you advise steps by steps if there's any conf file to modify to support this type of data which it should be able to query and display each field correctly. Please note that some fields have space may be more than one i.e. Netblock (i.e. May 1977) and Site Report field (Facebook, Inc.)

Tags (1)
0 Karma
Reply

prakarn_c
Engager
‎06-07-2012 07:49 PM

I didn't have any control. Above is just an example which I try to start learning splunk to get the general data which is not the default log template which splunk already support. I would like to learn how to input them correctly to be able to retrieve them later more efficiently.

Regarding above example, it's CSV and I also would like to know if it's text file, is it easy to extract data from text file like this? If it's quite hard, please guide me as it's CSV format is fine for me. However, if it's text file and need to be add any delimiter to make it more easily, please show me example for conf to support it, that would be great.

Thank you very much

0 Karma
Reply

DrewO
Splunk Employee
Splunk Employee
‎06-07-2012 09:12 AM

it's hard to tell from your example, but this looks like a CSV? If so the multikv command will extract those fields out based on the first row. (doc'ed here: http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Multikv)

You could create permanent (not just based on the multikv command) field extractions for this as well.

doc'ed here:

http://docs.splunk.com/Documentation/Splunk/4.3.2/Knowledge/Addfieldsatsearchtime
http://docs.splunk.com/Documentation/Splunk/4.3.2/Knowledge/Createandmaintainsearch-timefieldextract...

Reply

Damien_Dallimor
Ultra Champion
‎06-07-2012 04:46 AM

Do you have any control over the formatting of the lines ? Or is that example your only format option ?

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...