topic Re: Splunk parsing and displaying data: What can I do in my source file to make Splunk show just the "Keys" under Interesting fields and not club them with any of the values? in Splunk Enterprise

Splunk parsing and displaying data: What can I do in my source file to make Splunk show just the "Keys" under Interesting fields and not club them with any of the values?

samsingla — Mon, 17 Sep 2018 19:58:06 GMT

I am a new user to Splunk Enterprise and have a basic question on how Splunk parses and displays data.

I am feeding a few .csv files (timestamp, kv pair) as my input. I was hoping that Splunk would automatically detect the "key" and show it as a field on the right hand side (under Interesting Fields). And that's what is happening for the most part, but it is also appending a value with _. e.g. One of the fields is ProductType and it can appear as ProductType=abc, or ProductType=cde or ProductType=xyz.

What I have noticed is that if there is only one iteration of ProductType=abc and multiple iterations of other two, Splunk will show "ProductType_abc" under "Interesting Fields". But, when I click on it, it does show all three so I can still sort.

I learned that we can change config files, and also pre-define source fields, but my access is pretty locked down and don't have direct access to config/sys data. Is there anything I can do in my source file that will make Splunk show just the "Keys" under Interesting fields and not club them with any of the values?

Re: Splunk parsing and displaying data: What can I do in my source file to make Splunk show just the "Keys" under Interesting fields and not club them with any of the values?

DalJeanis — Tue, 18 Sep 2018 00:39:36 GMT

As described, this may be a problem with your csv layout and/or with ingestion.

Normally, in a csv, the first line establishes the names of the fields. Any odd characters in the column header are cleaned by splunk and replaced by underscores. Thus, if you have a column whose header says ProductType=abc, that field name will be rendered as ProductType_abc. If you are getting a field named that, and the values are ProductType_abc, ProductType_xyz and so on, then what you have is not exactly a csv, but a file with key-value pairs that are separated by commas.

Re: Splunk parsing and displaying data: What can I do in my source file to make Splunk show just the "Keys" under Interesting fields and not club them with any of the values?

samsingla — Tue, 18 Sep 2018 15:10:51 GMT

Thank you for the answer, it makes sense. I didn't realize that Splunk will look for a csv header even if the data values appear as kv pair. This makes sense now. Is there a recommended extension for a kv pair file (*.txt maybe?).

And I am hoping if I ingest the exact same file as a *.txt, the "keys" will appear on the right hand side as it is (ProductType=abc will appear as ProductType and not ProductType_abc, even if ProductType=abc is in the first line, correct?

Re: Splunk parsing and displaying data: What can I do in my source file to make Splunk show just the "Keys" under Interesting fields and not club them with any of the values?

DalJeanis — Thu, 20 Sep 2018 18:27:44 GMT

The first line is a data line, so yes, any ingestion method that tells the system to extract the kv pairs will work. Try using the GUI to ingest the data into a test instance, and let splunk walk you thru the process. You should be able to find the right method pretty quickly.