https://community.splunk.com/t5/Getting-Data-In/Index-csv-files-with-grouped-fields/m-p/513885#M87124 <P>Hi</P><P>I'm using Universal forwarder and trying to consume a complex csv file. Usually this works OK by configuring props.conf correctly on the forwarder. However, this CSV file is quite complex, with many Grouped Field. "{ }" to be used&nbsp;for encapsulating outer most&nbsp;list and "[]" for internal lists.<BR />Every internal list within {} or []&nbsp;will be comma separated.<BR /><BR />Is this possible to achieve? I mean to get the naming of the header fields correct?&nbsp;</P><P><SPAN>Since the header fields will change depending on which groups or lists have data.</SPAN></P><P><SPAN>I have a good documentation of the csv file format, but haven't found any ways to make props.conf handle these grouped fields and lists.....</SPAN></P> Thu, 13 Aug 2020 11:59:43 GMT kjell_ml 2020-08-13T11:59:43Z https://community.splunk.com/t5/Getting-Data-In/Index-csv-files-with-grouped-fields/m-p/513885#M87124 <P>Hi</P><P>I'm using Universal forwarder and trying to consume a complex csv file. Usually this works OK by configuring props.conf correctly on the forwarder. However, this CSV file is quite complex, with many Grouped Field. "{ }" to be used&nbsp;for encapsulating outer most&nbsp;list and "[]" for internal lists.<BR />Every internal list within {} or []&nbsp;will be comma separated.<BR /><BR />Is this possible to achieve? I mean to get the naming of the header fields correct?&nbsp;</P><P><SPAN>Since the header fields will change depending on which groups or lists have data.</SPAN></P><P><SPAN>I have a good documentation of the csv file format, but haven't found any ways to make props.conf handle these grouped fields and lists.....</SPAN></P> Thu, 13 Aug 2020 11:59:43 GMT https://community.splunk.com/t5/Getting-Data-In/Index-csv-files-with-grouped-fields/m-p/513885#M87124 kjell_ml 2020-08-13T11:59:43Z https://community.splunk.com/t5/Getting-Data-In/Index-csv-files-with-grouped-fields/m-p/513911#M87126 Example data would be helpful, but I suspect the file is more complex than Splunk can handle. Splunk expects all CSV rows to have the same set of fields.<BR />Consider creating a scripted input to ingest that file. Thu, 13 Aug 2020 13:21:51 GMT https://community.splunk.com/t5/Getting-Data-In/Index-csv-files-with-grouped-fields/m-p/513911#M87126 richgalloway 2020-08-13T13:21:51Z https://community.splunk.com/t5/Getting-Data-In/Index-csv-files-with-grouped-fields/m-p/513915#M87127 <P>Hi</P><P>&nbsp;</P><P>Here's an example, I have anonymized the data and broken it up on separate lines where the internal groups and lists occur: (Inside the [] brackets there can be data or not, depending on type of transactions. This is what messes up the header_field naming)</P><P>0-0-9-1,64,xxx.xxx.x.x,28fa2342-5b1b-4605-b178-f2ec2b0b5327,20200813151737.417061,ff-14f-3fffffff-00152,,,<BR />{REGISTER,,3600,0,<BR />[sip:+4700000000@xxx.xxxxxx.xxxxxx.xxx.xxxxxxxxxxx.xxx],<BR />[sip:+4700000000@xxx.xxxxx.xxxxxx.xxx.xxxxxxxxxxx.xxx,tel:+4700000000],<BR />sip:+4700000000@xxx.xxxxxx.xxxxxx.xxx.xxxxxxxxxxx.xxx,<BR />[],<BR />20200813151737.417083,417,20200813151742.479075,479,,0,-1,xxxx-x-xxxxx-xxx;xxxxx-xxxx-xx-xxxx=xxxxxxxxxxxxxxxx,0,xxxxxxx.xxx,,0,<BR />[],<BR />,<BR />[<BR />[255.671.3043243843-1293344657.140,Ioi1,12345,]<BR />]},<BR />{[0,0,,0,0,0,0,xxxx-x-xxxxx-xxx,0],<BR />},<BR />{1,0,,0,0,0,false},<BR />,,,,,,,,,,,,,<BR />{[3,2,20200813151737.419758,REGISTER,0,xx.xx.x.xx,xxx.xxx.x.xx],<BR />[3,2,20200813151742.434086,REGISTER,0,xxx.xxx.xx.xxx,xxx.xxx.xx.xxx],<BR />[3,2,20200813151742.467122,200,0,xxx.xxx.xx.xxx,xxx.xxx.xx.xxx],<BR />[3,2,20200813151742.478905,200,0,xxx.xxx.xx.xxx,xx.xx.x.xx]}\x00</P> Thu, 13 Aug 2020 13:36:36 GMT https://community.splunk.com/t5/Getting-Data-In/Index-csv-files-with-grouped-fields/m-p/513915#M87127 kjell_ml 2020-08-13T13:36:36Z