That's work !!!
I used this method:
sourcetype="test"
| eval myField=_raw
| makemv delim=" " myField
| mvexpand myField
| top limit=10 myField
It display me exactly what I want !
So for this part it's perfect.
Just another little question:
I want to monitor continuously a text file , the file containing 100 lines
Cisco ...
Microsoft ..
Symantec
Azerty
ERTY
..
So I went to
Settings -> Data Inputs -> Files and directories -> New -> I choosed the path -> Continuously monitor ->
When I'm in source type -> Trigger events : Each line -> Time stamp : Actual Hour
And now I click on Save As :
Nom : azerty
Description :
Catégory : Customize
App : Search & Reporting
After that, I click on next:
App context : Search and Reporting
Host field value - Constant value : NS
Index : default
So, when I finish everything , there is a " No results found " when I run one of this 2 commands:
source="/Users/NS/Downloads/allo" host="NS" sourcetype="TEST"
or
sourcetype="TEST"
My file wasn't indexed and I didn't find the sourcetype=TEST
I did it many times and successfully with structured files, it's the first time that I meet this problem.
In my opinion I think Splunk cannot monitor continuously because it's only full text, there are'nt timestamp or fields or any other indications although I choosed the timestamp of my system.
So I tried to do exactly the same configuration but Index only one time and not monitor continuously and .... that's work. Data Inputs --> Index Once --> same configuration that previously
My need actually is to monitor it continuously because if modify anything in the text file, I will'nt see the change in Splunk, and that's the problem. It is possible for a full text file ?
Have you any idea?
Thanks,
... View more