how to indentify \| character in SPLUNK

abhayneilam · ‎10-25-2012

Hi,

I have a file which contains few fields which are '|' separated, Now I have certain values in file which looks like '|' ( without any space ). example as follows:

d:\this_directory|Y|DATA

above statement is having three fields with '|' separated, but when this type of data is being imported to SPLUNK , I am getting only two fields because , it is assuming d:\this_directory|Y as a single field and 'DATA' as a second field. I have to replace | to \ | everytime before importing the data which is very painful for the big size files.

Is there any way in SPLUNK to handle this type of error !!

Please help !!

Thanks!!

Ayn · ‎10-25-2012

This is no error. From what I gather in your question you haven't told Splunk how to extract field values from this log, so it's using some very generic fallback rules to try to make some sense out of it. So you need to tell Splunk how you want your fields extracted.

Setup a delims based field extraction in props.conf / transforms.conf. Something like this.

props.conf:

[yoursourcetype]
REPORT-pipedelimitedfields = pipedelimitedfields

transforms.conf:

[pipedelimitedfields]
DELIMS = "|"
FIELDS = "field1", "field2", "field3"

abhayneilam · ‎10-25-2012

I have written the same lines in the configuration files but stil the same problem is there ... '|' should be a separater ,but anywhere it is getting | is not considering | as a separator.

Please help

how to indentify \| character in SPLUNK

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

Splunk APM: New Product Features + Community Office Hours Recap!

Index This | Forward, I’m heavy; backward, I’m not. What am I?