<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:taxo="http://purl.org/rss/1.0/modules/taxonomy/" version="2.0">
  <channel>
    <title>topic How to extract data from a CSV file with multiple lines, but the timestamp on a different line?? in Getting Data In</title>
    <link>https://community.splunk.com/t5/Getting-Data-In/How-to-extract-data-from-a-CSV-file-with-multiple-lines-but-the/m-p/212610#M41804</link>
    <description>&lt;P&gt;Hi,  &lt;/P&gt;

&lt;P&gt;My log has a timestamp and a CSV rows. Eg. given 2 records.&lt;/P&gt;

&lt;P&gt;Sun Feb 14 07:01:05 EST 2016&lt;/P&gt;

&lt;P&gt;customer_name,cust_id, response_code, response_time, size&lt;BR /&gt;
abc, 1002304,200, 0.111,120&lt;BR /&gt;
def, 1002203,200,0.112,150&lt;BR /&gt;
ghi, 1002206,500,0.113,160&lt;/P&gt;

&lt;P&gt;Sun Feb 14 07:04:55 EST 2016&lt;/P&gt;

&lt;P&gt;customer_name,cust_id, response_code, response_time, size&lt;BR /&gt;
abc, 1002304,200, 0.114,110&lt;BR /&gt;
def, 1002203,200,0.118,190&lt;BR /&gt;
ghi, 1002206,500,0.117,130&lt;/P&gt;

&lt;P&gt;How do I index them with the timestamp mentioned for all records in the CSV??  pls help.&lt;/P&gt;</description>
    <pubDate>Tue, 29 Sep 2020 08:52:20 GMT</pubDate>
    <dc:creator>anasar</dc:creator>
    <dc:date>2020-09-29T08:52:20Z</dc:date>
    <item>
      <title>How to extract data from a CSV file with multiple lines, but the timestamp on a different line??</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/How-to-extract-data-from-a-CSV-file-with-multiple-lines-but-the/m-p/212610#M41804</link>
      <description>&lt;P&gt;Hi,  &lt;/P&gt;

&lt;P&gt;My log has a timestamp and a CSV rows. Eg. given 2 records.&lt;/P&gt;

&lt;P&gt;Sun Feb 14 07:01:05 EST 2016&lt;/P&gt;

&lt;P&gt;customer_name,cust_id, response_code, response_time, size&lt;BR /&gt;
abc, 1002304,200, 0.111,120&lt;BR /&gt;
def, 1002203,200,0.112,150&lt;BR /&gt;
ghi, 1002206,500,0.113,160&lt;/P&gt;

&lt;P&gt;Sun Feb 14 07:04:55 EST 2016&lt;/P&gt;

&lt;P&gt;customer_name,cust_id, response_code, response_time, size&lt;BR /&gt;
abc, 1002304,200, 0.114,110&lt;BR /&gt;
def, 1002203,200,0.118,190&lt;BR /&gt;
ghi, 1002206,500,0.117,130&lt;/P&gt;

&lt;P&gt;How do I index them with the timestamp mentioned for all records in the CSV??  pls help.&lt;/P&gt;</description>
      <pubDate>Tue, 29 Sep 2020 08:52:20 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/How-to-extract-data-from-a-CSV-file-with-multiple-lines-but-the/m-p/212610#M41804</guid>
      <dc:creator>anasar</dc:creator>
      <dc:date>2020-09-29T08:52:20Z</dc:date>
    </item>
    <item>
      <title>Re: How to extract data from a CSV file with multiple lines, but the timestamp on a different line??</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/How-to-extract-data-from-a-CSV-file-with-multiple-lines-but-the/m-p/212611#M41805</link>
      <description>&lt;P&gt;There's no real easy way to do this.  The problem here is that your file is a mix between a traditional "log" file (with timestamps existing between events) and a tabular (CSV) data format.  This isn't a typical use, and therefore isn't well supported.  A few thoughts/ideas listed below.&lt;/P&gt;

&lt;P&gt;Options:&lt;/P&gt;

&lt;OL&gt;
&lt;LI&gt;Modify the log-producing program to format so that there's one timestamp per row (line).&lt;/LI&gt;
&lt;LI&gt;Pre-process the CSV file so that the timestamp repeats for each row.  This would be relatively simple to do in Python, Perl, AWK, or whatever tool you prefer.&lt;/LI&gt;
&lt;LI&gt;Allow Splunk ingest each chunk of tabular data into a single event; then use some search-time magic to split each event into multiple events--one per csv row.  I know a wrote a custom search command a few years back that did this exact thing.  (I may be able to find it lying around; I never got around to actually releasing it.)  But this probably isn't the best answer and may not perform as well, depending on your use case.&lt;/LI&gt;
&lt;/OL&gt;

&lt;P&gt;There could be some other clever approaches to this as well, but most of them will be either a pain to implement, hard to understand, or have a serious limitations.   I'd try options 1 or 2 first.&lt;/P&gt;</description>
      <pubDate>Fri, 19 Feb 2016 16:13:44 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/How-to-extract-data-from-a-CSV-file-with-multiple-lines-but-the/m-p/212611#M41805</guid>
      <dc:creator>Lowell</dc:creator>
      <dc:date>2016-02-19T16:13:44Z</dc:date>
    </item>
  </channel>
</rss>

