How to parse out asterisk delimited format?

skirven · ‎04-13-2022

Hi! I'm having a struggle trying to get Splunk to recognize a file that's in Asterisk Delimited Format. I have the props.conf set like this below, running on a Splunk 7.3.8 HF, sending the cooked data to a 8.1.72 Search Peer. Nothing I've tried will get the data to parse correctly. Everything I'm reading, this should work. I've opened a support case, but I'm going around in circles with them, so if anyone has any thought here, I would appreciate it!

[ sourcetype ]
SHOULD_LINEMERGE=true
LINE_BREAKER=([\r\n]+)
NO_BINARY_CHECK=true
CHARSET=UTF-8
disabled=false
FIELD_DELIMITER=*
FIELD_NAMES=timestamp,.....
TRUNCATE=50000

Thanks,
Stephen

gcusello · ‎04-13-2022

Hi @skirven,

as you can read at https://docs.splunk.com/Documentation/Splunk/8.2.6/admin/Propsconf to use the FIELD_DELIMITER, you have to set the INDEXED_EXTRACTIONS parameter, which kind of file are you using? a CSV?

Ciao.

Giuseppe

skirven · ‎04-13-2022

Thanks. I did see that, and had tried that. The file is a log file, but in Asterisk Delimited Format. I'll test with INDEXED_EXTRACTIONS=CSV and the FIELD_DELIMITER=* and see what happens.

Thanks.
Stephen

skirven · ‎04-13-2022

That didn't work either. 😞

[ sourcetype ]
SHOULD_LINEMERGE=true
LINE_BREAKER=([\r\n]+)
NO_BINARY_CHECK=true
CHARSET=UTF-8
disabled=false
FIELD_DELIMITER=*
FIELD_NAMES=timestamp,.....
TRUNCATE=50000
INDEXED_EXTRACTIONS=CSV

How to parse out asterisk delimited format?

heavy forwarder

intermediate forwarder

Introducing the Splunk Community Dashboard Challenge!

Get the T-shirt to Prove You Survived Splunk University Bootcamp

Wondering How to Build Resiliency in the Cloud?