https://community.splunk.com/t5/Splunk-Search/Index-CSV-Missing-Columns/m-p/517434#M145502 <P>I have an interesting problem that I am not sure how to solve.&nbsp; I have a CSV that I am monitoring.&nbsp; The CSV has approximately 232 column headings given its a big data source.&nbsp; The data is being pulled in but there are some columns that are not being indexed for some reason.&nbsp; For example a missing column heading is say "comp_ip".&nbsp;</P><P>&nbsp;</P><P>SPL search in both smart or verbose mode, doesn't show the field "comp_ip".&nbsp; If I then write SPL as follows</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><LI-CODE lang="markup">index=foo sourcetype=csv | dedup comp_ip | table comp_ip</LI-CODE><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>then SPLUNK happily shows me a table with all the values.&nbsp; If I run my search in verbose mode and then look back at "events" I can see my field in the interesting fields.&nbsp; However if I then revert back to normal search (i.e. index=foo sourcetype=csv) then my interesting fields no longer show this field.&nbsp; I have also checked to make sure that there are no more "interesting fields" that have not been selected.</P><P>&nbsp;</P><P>If I manually take the CSV file and do a manual "Add Data" and apply the sourcetype, I can see the column "comp_ip" with the relevant data.&nbsp;&nbsp;</P><P>&nbsp;</P><P>I am at a loss..</P> Wed, 02 Sep 2020 09:03:28 GMT willadams 2020-09-02T09:03:28Z https://community.splunk.com/t5/Splunk-Search/Index-CSV-Missing-Columns/m-p/517434#M145502 <P>I have an interesting problem that I am not sure how to solve.&nbsp; I have a CSV that I am monitoring.&nbsp; The CSV has approximately 232 column headings given its a big data source.&nbsp; The data is being pulled in but there are some columns that are not being indexed for some reason.&nbsp; For example a missing column heading is say "comp_ip".&nbsp;</P><P>&nbsp;</P><P>SPL search in both smart or verbose mode, doesn't show the field "comp_ip".&nbsp; If I then write SPL as follows</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><LI-CODE lang="markup">index=foo sourcetype=csv | dedup comp_ip | table comp_ip</LI-CODE><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>then SPLUNK happily shows me a table with all the values.&nbsp; If I run my search in verbose mode and then look back at "events" I can see my field in the interesting fields.&nbsp; However if I then revert back to normal search (i.e. index=foo sourcetype=csv) then my interesting fields no longer show this field.&nbsp; I have also checked to make sure that there are no more "interesting fields" that have not been selected.</P><P>&nbsp;</P><P>If I manually take the CSV file and do a manual "Add Data" and apply the sourcetype, I can see the column "comp_ip" with the relevant data.&nbsp;&nbsp;</P><P>&nbsp;</P><P>I am at a loss..</P> Wed, 02 Sep 2020 09:03:28 GMT https://community.splunk.com/t5/Splunk-Search/Index-CSV-Missing-Columns/m-p/517434#M145502 willadams 2020-09-02T09:03:28Z https://community.splunk.com/t5/Splunk-Search/Index-CSV-Missing-Columns/m-p/517437#M145503 <P>you can create header using props.conf and transforms.conf&nbsp;</P><P>&nbsp;</P><LI-CODE lang="markup">props.conf [sourcetype] EXTRACT-fields = big_data_fields_extraction transforms.conf [big_data_fields_extraction] DELIMS = "," FIELDS = "field1","field2","fiel1254"</LI-CODE><P><BR /><BR /></P> Wed, 02 Sep 2020 09:10:32 GMT https://community.splunk.com/t5/Splunk-Search/Index-CSV-Missing-Columns/m-p/517437#M145503 thambisetty 2020-09-02T09:10:32Z https://community.splunk.com/t5/Splunk-Search/Index-CSV-Missing-Columns/m-p/517461#M145508 <P>My data is already delim'd with "," and thats proven by the manual upload of the csv.&nbsp;&nbsp;<SPAN>This would do additional extractions to capture those specific fields but not allow for changes to the fields over time (which is likely to happen).&nbsp; How can this be done without having to props it for specific fields and be more "dynamic".&nbsp; What's causing it in the first instance.&nbsp;</SPAN></P> Wed, 02 Sep 2020 14:38:26 GMT https://community.splunk.com/t5/Splunk-Search/Index-CSV-Missing-Columns/m-p/517461#M145508 willadams 2020-09-02T14:38:26Z https://community.splunk.com/t5/Splunk-Search/Index-CSV-Missing-Columns/m-p/518318#M145761 <P>Spoke with SPLUNK support and the problem was resolved by changing the limits.conf configuration for [kv] within SPLUNK Enterprise.</P><P>&nbsp;</P><P>Created under system\local the file limits.conf and added the following stanza to it and restarted SPLUNK.&nbsp;</P><P>&nbsp;</P><LI-CODE lang="markup">[kv] limit = 235</LI-CODE><P>&nbsp;</P><P>&nbsp;</P> Tue, 08 Sep 2020 01:59:25 GMT https://community.splunk.com/t5/Splunk-Search/Index-CSV-Missing-Columns/m-p/518318#M145761 willadams 2020-09-08T01:59:25Z