How to forward logs with Splunk Forwarder for the files with no header and logs should be in form of key/Value

Question

I have a splunk forwarder setup already on my host.

I have certain files in the folder (/tom/mike/). File names are starting with Back*.

The content of file may in one or multiple line. There are multiple fixed position values separated with some spaces in each line with no header.

Content (Example: Consider "-" as one space)

Tom---516-----RTYUI------45678

Mik---345-----XYXFF------56789

I need splunk logs for each line.

like:

Key1= Tom  Key2=516  Key3= RTYUI  Key4= 45678

Key1= Mike  Key2= 345  Key3= XYXFF  Key4= 56789

I know inputs.conf changes would be like below:

[monitor:///tom/mike/Back*]

index=myIndex

blacklist=\.(gz|zip|bkz|arch|etc)$

sourcetype = BackFileData

Please suggest changes which can be done in props.conf. Please keep in mind that delimiter is fixed for each value in line but its not same (like 2 spaces) for all column values. There are no headers as well in these files.

score 0 · Answer 1 · answered Aug 06 '17 at 13:49

0

You can use kvdelims if you want a search-time extraction or you can make a transforms.conf rule and apply it in props.conf and it will extract at index time

Here's a good article covering all those scenarios

https://www.splunk.com/blog/2008/02/12/delimiter-based-key-value-pair-extraction.html

answered Aug 06 '17 at 13:49

skoelpin

212
1
5

How to make a transforms.conf rule and apply it in props.conf ? – user2187367 Aug 07 '17 at 08:01
They should be located on your indexer(s) under `/opt/splunk/etc/apps//local` – skoelpin Aug 07 '17 at 23:19

How to forward logs with Splunk Forwarder for the files with no header and logs should be in form of key/Value

1 Answers1