https://community.splunk.com/t5/Knowledge-Management/How-to-extract-the-csv-fields-at-index-time/m-p/598688#M8822 <P>thanks woodcok, this saved my day, at least what was left of it after struggling for hours.</P><P>This behaviour seems very counter-intuitive; I am used to the concept of UFs beeing dumb and having no notion of events</P> Fri, 20 May 2022 16:02:10 GMT biko 2022-05-20T16:02:10Z https://community.splunk.com/t5/Knowledge-Management/How-to-extract-the-csv-fields-at-index-time/m-p/400600#M6476 <P>hi all,<BR />i'm trying extract the fields from the csv files and my csv file is looks like this,</P> <P>just want to extract all fields at index-time only.</P> <P>field1,filed2,-,-,-,etc</P> <P>and my props.conf is <BR />[sourcetype]<BR />INDEXED_EXTRACTIONS = CSV<BR />FIELD_DELIMITER = ,<BR />HEADER_FIELD_DELIMITER = ,</P> <P>but this is not successful, am i missing something ?</P> Fri, 20 May 2022 16:06:27 GMT https://community.splunk.com/t5/Knowledge-Management/How-to-extract-the-csv-fields-at-index-time/m-p/400600#M6476 rajasekhar14 2022-05-20T16:06:27Z https://community.splunk.com/t5/Knowledge-Management/How-to-extract-the-csv-fields-at-index-time/m-p/400601#M6477 <P>Hi @rajasekhar14 </P> <P>Your config looks correct. Just make sure this props.conf file Is on the universal forwarder and not the indexer.</P> <P>All the best</P> Mon, 18 Feb 2019 20:04:02 GMT https://community.splunk.com/t5/Knowledge-Management/How-to-extract-the-csv-fields-at-index-time/m-p/400601#M6477 chrisyounger 2019-02-18T20:04:02Z https://community.splunk.com/t5/Knowledge-Management/How-to-extract-the-csv-fields-at-index-time/m-p/400602#M6478 <P>Hi Chris,<BR /> I haven’t deployed to UF, because we have HF in place between Indexers and UFs. So I deployed to HF.</P> Mon, 18 Feb 2019 20:37:07 GMT https://community.splunk.com/t5/Knowledge-Management/How-to-extract-the-csv-fields-at-index-time/m-p/400602#M6478 rajasekhar14 2019-02-18T20:37:07Z https://community.splunk.com/t5/Knowledge-Management/How-to-extract-the-csv-fields-at-index-time/m-p/400603#M6479 <P>Confusingly, CSV indexed extractions actually happen on the universal forwarder. It needs to be done here becuase it needs to use the header of the file regularly so it knows the column names.</P> Mon, 18 Feb 2019 21:29:30 GMT https://community.splunk.com/t5/Knowledge-Management/How-to-extract-the-csv-fields-at-index-time/m-p/400603#M6479 chrisyounger 2019-02-18T21:29:30Z https://community.splunk.com/t5/Knowledge-Management/How-to-extract-the-csv-fields-at-index-time/m-p/400604#M6480 <P>Absolutely - a bit more at <A href="https://answers.splunk.com/answers/705488/do-we-need-propsconf-on-the-indexer-when-indexing.html">Do we need props.conf on the indexer when indexing a csv file?</A></P> Tue, 19 Feb 2019 02:03:32 GMT https://community.splunk.com/t5/Knowledge-Management/How-to-extract-the-csv-fields-at-index-time/m-p/400604#M6480 ddrillic 2019-02-19T02:03:32Z https://community.splunk.com/t5/Knowledge-Management/How-to-extract-the-csv-fields-at-index-time/m-p/400605#M6481 <P>No I don't think so. However it doesn't harm to have it there.</P> Tue, 19 Feb 2019 02:43:45 GMT https://community.splunk.com/t5/Knowledge-Management/How-to-extract-the-csv-fields-at-index-time/m-p/400605#M6481 chrisyounger 2019-02-19T02:43:45Z https://community.splunk.com/t5/Knowledge-Management/How-to-extract-the-csv-fields-at-index-time/m-p/400606#M6482 <P>The <CODE>INDEXED_EXTRACTIONS</CODE> feature, unlike most index-time-related features, actually happens on the UF. So your <CODE>props.conf</CODE> <EM>must</EM> be sent to your UF and Splunk restarted there.</P> Tue, 19 Feb 2019 05:12:09 GMT https://community.splunk.com/t5/Knowledge-Management/How-to-extract-the-csv-fields-at-index-time/m-p/400606#M6482 woodcock 2019-02-19T05:12:09Z https://community.splunk.com/t5/Knowledge-Management/How-to-extract-the-csv-fields-at-index-time/m-p/400607#M6483 <P>@rajasekhar14 Where have you placed your props.conf? can you show the stanza in inputs.conf.</P> <P>Refer this link - <A href="https://answers.splunk.com/answers/719666/data-not-getting-extracted-correctly-as-per-csv.html">https://answers.splunk.com/answers/719666/data-not-getting-extracted-correctly-as-per-csv.html</A></P> Tue, 19 Feb 2019 10:19:07 GMT https://community.splunk.com/t5/Knowledge-Management/How-to-extract-the-csv-fields-at-index-time/m-p/400607#M6483 ashajambagi 2019-02-19T10:19:07Z https://community.splunk.com/t5/Knowledge-Management/How-to-extract-the-csv-fields-at-index-time/m-p/400608#M6484 <P>Chris, we are parsing at HF level, so I deployed tob HF.</P> Tue, 19 Feb 2019 12:37:53 GMT https://community.splunk.com/t5/Knowledge-Management/How-to-extract-the-csv-fields-at-index-time/m-p/400608#M6484 rajasekhar14 2019-02-19T12:37:53Z https://community.splunk.com/t5/Knowledge-Management/How-to-extract-the-csv-fields-at-index-time/m-p/400609#M6485 <P>@ashajambagi here is the my inputs.conf <BR /> [monitor:/D:\mytest/splunk.csv]<BR /> sourcetype=test<BR /> index=myindex<BR /> crcSalt = <BR /> initCrcLength = 256</P> Tue, 19 Feb 2019 12:42:35 GMT https://community.splunk.com/t5/Knowledge-Management/How-to-extract-the-csv-fields-at-index-time/m-p/400609#M6485 rajasekhar14 2019-02-19T12:42:35Z https://community.splunk.com/t5/Knowledge-Management/How-to-extract-the-csv-fields-at-index-time/m-p/400610#M6486 <P>@woodcock, as per all your suggestions i placed these settings in UF and restarted it, but now no luck.</P> Tue, 19 Feb 2019 12:43:44 GMT https://community.splunk.com/t5/Knowledge-Management/How-to-extract-the-csv-fields-at-index-time/m-p/400610#M6486 rajasekhar14 2019-02-19T12:43:44Z https://community.splunk.com/t5/Knowledge-Management/How-to-extract-the-csv-fields-at-index-time/m-p/400611#M6487 <P>Check the format for this : [monitor:/D:\mytest/splunk.csv]</P> <P>[sourcetype] #have you mentioned test here instead of sourcetype?<BR /> INDEXED_EXTRACTIONS = CSV<BR /> FIELD_DELIMITER = ,<BR /> HEADER_FIELD_DELIMITER = ,</P> Tue, 29 Sep 2020 23:22:43 GMT https://community.splunk.com/t5/Knowledge-Management/How-to-extract-the-csv-fields-at-index-time/m-p/400611#M6487 ashajambagi 2020-09-29T23:22:43Z https://community.splunk.com/t5/Knowledge-Management/How-to-extract-the-csv-fields-at-index-time/m-p/400612#M6488 <P>What do you mean "no luck" <EM>exactly</EM>?</P> <P>Is your data coming in to splunk? If so, then it <EM>definitely</EM> is working.<BR /> With <CODE>INDEXED_EXTRACTIONS</CODE> it is ALL or NONE.<BR /> I suspect that you expect this change to fix data that is already in wrong. It will NOT do that. You have to send NEW data in, and then it should work. If data is not coming in, then the only thing that might be causing you a problem is that your <CODE>sourcetype</CODE> does not match or your Timestamping is wrong so the events are ending up in a timeframe that you did not expect. Try a timepicker with <CODE>All time</CODE> to check for the latter.</P> Tue, 19 Feb 2019 13:58:03 GMT https://community.splunk.com/t5/Knowledge-Management/How-to-extract-the-csv-fields-at-index-time/m-p/400612#M6488 woodcock 2019-02-19T13:58:03Z https://community.splunk.com/t5/Knowledge-Management/How-to-extract-the-csv-fields-at-index-time/m-p/400613#M6489 <P>once i deployed these settings to UF its working </P> Tue, 26 Feb 2019 19:05:21 GMT https://community.splunk.com/t5/Knowledge-Management/How-to-extract-the-csv-fields-at-index-time/m-p/400613#M6489 rajasekhar14 2019-02-26T19:05:21Z https://community.splunk.com/t5/Knowledge-Management/How-to-extract-the-csv-fields-at-index-time/m-p/400614#M6490 <P>@woodcock now its working. previously it didn't deployed to UF. i have a question that why we need to deployed to UF only? in my case UF is forwarding to HF, and HF is forwarding to Indexers. So my all parsing is happening in HF level to avoid load on Indexers.</P> Tue, 26 Feb 2019 19:08:33 GMT https://community.splunk.com/t5/Knowledge-Management/How-to-extract-the-csv-fields-at-index-time/m-p/400614#M6490 rajasekhar14 2019-02-26T19:08:33Z https://community.splunk.com/t5/Knowledge-Management/How-to-extract-the-csv-fields-at-index-time/m-p/400615#M6491 <P>Parsing on HF swaps CPU load for port I/O load and a <EM>different</EM> CPU load in that payload per event is much fatter and is very inefficient. See here:</P> <P><A href="https://www.splunk.com/blog/2016/12/12/universal-or-heavy-that-is-the-question.html">https://www.splunk.com/blog/2016/12/12/universal-or-heavy-that-is-the-question.html</A></P> Tue, 26 Feb 2019 22:06:33 GMT https://community.splunk.com/t5/Knowledge-Management/How-to-extract-the-csv-fields-at-index-time/m-p/400615#M6491 woodcock 2019-02-26T22:06:33Z https://community.splunk.com/t5/Knowledge-Management/How-to-extract-the-csv-fields-at-index-time/m-p/598688#M8822 <P>thanks woodcok, this saved my day, at least what was left of it after struggling for hours.</P><P>This behaviour seems very counter-intuitive; I am used to the concept of UFs beeing dumb and having no notion of events</P> Fri, 20 May 2022 16:02:10 GMT https://community.splunk.com/t5/Knowledge-Management/How-to-extract-the-csv-fields-at-index-time/m-p/598688#M8822 biko 2022-05-20T16:02:10Z