https://community.splunk.com/t5/Getting-Data-In/Best-way-to-index-csv-files-with-some-common-fields/m-p/167717#M33951 <P>won't the source name be the same (if they are saved in the same folder)</P> Tue, 06 Jan 2015 05:52:08 GMT simonbuskens 2015-01-06T05:52:08Z https://community.splunk.com/t5/Getting-Data-In/Best-way-to-index-csv-files-with-some-common-fields/m-p/167715#M33949 <P>Hi<BR /> I have a series of .csv files (1 for each month) where the first 100 fields are the same, but after that there are about 4 or 5 fields that are specific to that month only.</P> <P>What is the best way to add that data into Splunk?</P> <P>Will I be able to add them all to the same index, or do they need their own index (so then I have to search across them all)</P> Tue, 06 Jan 2015 05:17:15 GMT https://community.splunk.com/t5/Getting-Data-In/Best-way-to-index-csv-files-with-some-common-fields/m-p/167715#M33949 simonbuskens 2015-01-06T05:17:15Z https://community.splunk.com/t5/Getting-Data-In/Best-way-to-index-csv-files-with-some-common-fields/m-p/167716#M33950 <P>you can add in same index and source name will be different and you can search based on source name</P> Tue, 06 Jan 2015 05:49:03 GMT https://community.splunk.com/t5/Getting-Data-In/Best-way-to-index-csv-files-with-some-common-fields/m-p/167716#M33950 kml_uvce 2015-01-06T05:49:03Z https://community.splunk.com/t5/Getting-Data-In/Best-way-to-index-csv-files-with-some-common-fields/m-p/167717#M33951 <P>won't the source name be the same (if they are saved in the same folder)</P> Tue, 06 Jan 2015 05:52:08 GMT https://community.splunk.com/t5/Getting-Data-In/Best-way-to-index-csv-files-with-some-common-fields/m-p/167717#M33951 simonbuskens 2015-01-06T05:52:08Z https://community.splunk.com/t5/Getting-Data-In/Best-way-to-index-csv-files-with-some-common-fields/m-p/167718#M33952 <P>Files name are same or different? if the file name are different you can put in same index and can write queries according to source field.</P> Tue, 06 Jan 2015 05:54:21 GMT https://community.splunk.com/t5/Getting-Data-In/Best-way-to-index-csv-files-with-some-common-fields/m-p/167718#M33952 asifhj 2015-01-06T05:54:21Z https://community.splunk.com/t5/Getting-Data-In/Best-way-to-index-csv-files-with-some-common-fields/m-p/167719#M33953 <P>For your sourcetype, define the fieldnames in the header in all of your csv's in props.conf.</P> <P>Then, define additional fields in that header for the sourcetype. E.g.,</P> <P>fields = alwaysherefield1, alwaysherefield2, alwaysherefield...30, sometimesherefield31, sometimesherefield32, sometimesherefield33</P> <P>If those fields dont exists, there wont be a value set. In the CSVs that have the fields, the values will be set. Then in your search, you can rename the fields to whatever you want them to be.</P> <P>Refer to here for props.conf examples :<BR /> <A href="http://docs.splunk.com/Documentation/Splunk/6.2.1/Data/Extractfieldsfromfileheadersatindextime">http://docs.splunk.com/Documentation/Splunk/6.2.1/Data/Extractfieldsfromfileheadersatindextime</A></P> Tue, 06 Jan 2015 05:56:42 GMT https://community.splunk.com/t5/Getting-Data-In/Best-way-to-index-csv-files-with-some-common-fields/m-p/167719#M33953 esix_splunk 2015-01-06T05:56:42Z https://community.splunk.com/t5/Getting-Data-In/Best-way-to-index-csv-files-with-some-common-fields/m-p/167720#M33954 <P>Nope, folders cannot have two files with same name.</P> Tue, 06 Jan 2015 06:06:39 GMT https://community.splunk.com/t5/Getting-Data-In/Best-way-to-index-csv-files-with-some-common-fields/m-p/167720#M33954 asifhj 2015-01-06T06:06:39Z https://community.splunk.com/t5/Getting-Data-In/Best-way-to-index-csv-files-with-some-common-fields/m-p/167721#M33955 <P>Source name will be path+filename, sourcetype will be whatever you defined it to be.</P> Wed, 07 Jan 2015 04:18:33 GMT https://community.splunk.com/t5/Getting-Data-In/Best-way-to-index-csv-files-with-some-common-fields/m-p/167721#M33955 esix_splunk 2015-01-07T04:18:33Z