https://community.splunk.com/t5/Getting-Data-In/parse-csv-content-and-header-for-fields/m-p/500459#M85281 <P>Hi @ All,</P> <P>i´ve got problems to parse the following file / content:</P> <PRE><CODE>"CreationTime","LastWriteTime","LastAccessTime","Name","Length","Directory" "25/03/2020 10:27:21","25/03/2020 10:27:36","25/03/2020 10:27:21","01.txt","5","C:\Share" "25/03/2020 11:12:10","13/12/2019 11:48:07","25/03/2020 11:12:10","splunkforwarder-8.0.1.msi","68755456","C:\Share" "25/03/2020 10:28:04","25/03/2020 10:28:17","25/03/2020 10:28:04","01.txt","13","C:\Share\A" "25/03/2020 10:28:04","25/03/2020 10:28:32","25/03/2020 10:28:22","02.txt","12","C:\Share\A" "25/03/2020 10:28:53","25/03/2020 10:28:53","25/03/2020 10:28:53","Empty.zip","22","C:\Share\B" </CODE></PRE> <P>my problem is, that splunk dont regognise / use the header infomations and dont split per line.<BR /> i tried with probs.conf CSV option, header check, filds delmiter, header delimter, quotes option, field names, etc etc...</P> <P>All options displays the same result... the header as event and one of the lines (randomly) as event...</P> <P>Anybody who can help me?</P> <P>THX - Markus</P> Thu, 26 Mar 2020 08:33:26 GMT pduvofmr 2020-03-26T08:33:26Z https://community.splunk.com/t5/Getting-Data-In/parse-csv-content-and-header-for-fields/m-p/500459#M85281 <P>Hi @ All,</P> <P>i´ve got problems to parse the following file / content:</P> <PRE><CODE>"CreationTime","LastWriteTime","LastAccessTime","Name","Length","Directory" "25/03/2020 10:27:21","25/03/2020 10:27:36","25/03/2020 10:27:21","01.txt","5","C:\Share" "25/03/2020 11:12:10","13/12/2019 11:48:07","25/03/2020 11:12:10","splunkforwarder-8.0.1.msi","68755456","C:\Share" "25/03/2020 10:28:04","25/03/2020 10:28:17","25/03/2020 10:28:04","01.txt","13","C:\Share\A" "25/03/2020 10:28:04","25/03/2020 10:28:32","25/03/2020 10:28:22","02.txt","12","C:\Share\A" "25/03/2020 10:28:53","25/03/2020 10:28:53","25/03/2020 10:28:53","Empty.zip","22","C:\Share\B" </CODE></PRE> <P>my problem is, that splunk dont regognise / use the header infomations and dont split per line.<BR /> i tried with probs.conf CSV option, header check, filds delmiter, header delimter, quotes option, field names, etc etc...</P> <P>All options displays the same result... the header as event and one of the lines (randomly) as event...</P> <P>Anybody who can help me?</P> <P>THX - Markus</P> Thu, 26 Mar 2020 08:33:26 GMT https://community.splunk.com/t5/Getting-Data-In/parse-csv-content-and-header-for-fields/m-p/500459#M85281 pduvofmr 2020-03-26T08:33:26Z https://community.splunk.com/t5/Getting-Data-In/parse-csv-content-and-header-for-fields/m-p/500460#M85282 <P>Hi Markus,</P> <P>you can use Settings -&gt; Add Data wizard to get the parsing right. Here are the settings that I got using wizard:<BR /> [ your_csv_sourcetype ]<BR /> CHARSET=UTF-8<BR /> INDEXED_EXTRACTIONS=csv<BR /> KV_MODE=none<BR /> SHOULD_LINEMERGE=false<BR /> disabled=false<BR /> pulldown_type=true</P> <P>you have to put this configuration on <STRONG>universal forwarder</STRONG> or where splunk reads the file, not on indexer or on search head. As mentioned in props.conf:</P> <BLOCKQUOTE> <P>This setting applies at <STRONG>input time</STRONG>, when data is first read by Splunk software, such as on a forwarder that has configured inputs acquiring the data.</P> </BLOCKQUOTE> <P>Additionally you have to set KV_MODE=none on SH. Which time field should be used as time source is up to you, use TIMESTAMP_FIELDS for it.</P> <P><IMG src="https://community.splunk.com/storage/temp/287689-2020-03-26-09-42-13-add-data-set-sourcetype-splunk.png" alt="alt text" /></P> Wed, 30 Sep 2020 04:42:50 GMT https://community.splunk.com/t5/Getting-Data-In/parse-csv-content-and-header-for-fields/m-p/500460#M85282 PavelP 2020-09-30T04:42:50Z