https://community.splunk.com/t5/Splunk-Search/Prop-Conf-for-CSV-input-data/m-p/559718#M159018 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/234909">@SplunkDash</a>&nbsp;</P><P>can you try this and deploy it to UF not on HF/intermediate forwarder. Restart UF.</P><P>&nbsp;</P><LI-CODE lang="markup">## props.conf [your_sourcetype] HEADER_FIELD_LINE_NUMBER = 1 INDEXED_EXTRACTIONS = CSV DATETIME_CONFIG = CURRENT</LI-CODE><P>&nbsp;</P><P>--</P><P>An upvote would be appreciated and Accept the solution if this reply helps!</P> Thu, 15 Jul 2021 23:33:39 GMT venkatasri 2021-07-15T23:33:39Z https://community.splunk.com/t5/Splunk-Search/Prop-Conf-for-CSV-input-data/m-p/559700#M159011 <P>Hello,</P><P>Please let me know how I would write Props Configuration file for this csv file. Segment of sample data for this csv file is given below. Any help will be highly appreciated, thank you!</P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="malekmo_1-1626381853803.png" style="width: 757px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/15117i1AE5711F41B637A0/image-dimensions/757x87?v=v2" width="757" height="87" role="button" title="malekmo_1-1626381853803.png" alt="malekmo_1-1626381853803.png" /></span></P><P>&nbsp;</P><DIV class="mceNonEditable lia-copypaste-placeholder">&nbsp;</DIV><P>&nbsp;</P> Thu, 15 Jul 2021 20:45:51 GMT https://community.splunk.com/t5/Splunk-Search/Prop-Conf-for-CSV-input-data/m-p/559700#M159011 SplunkDash 2021-07-15T20:45:51Z https://community.splunk.com/t5/Splunk-Search/Prop-Conf-for-CSV-input-data/m-p/559704#M159012 <P>Since you have structured data with a header you can use the built-in CSV sourcetype. Just set sourcetype = csv inputs.conf on your forwarder.<BR /><BR />Or you can create a custom one using INDEXED_EXTRACTIONS = csv<BR />See the documentation below for details and additional settings.</P><P><A href="https://docs.splunk.com/Documentation/Splunk/8.2.1/Data/Extractfieldsfromfileswithstructureddata#Use_configuration_files_to_enable_automatic_header-based_field_extraction" target="_blank">https://docs.splunk.com/Documentation/Splunk/8.2.1/Data/Extractfieldsfromfileswithstructureddata#Use_configuration_files_to_enable_automatic_header-based_field_extraction</A></P> Thu, 15 Jul 2021 20:58:05 GMT https://community.splunk.com/t5/Splunk-Search/Prop-Conf-for-CSV-input-data/m-p/559704#M159012 codebuilder 2021-07-15T20:58:05Z https://community.splunk.com/t5/Splunk-Search/Prop-Conf-for-CSV-input-data/m-p/559714#M159015 <P>Thank you. But, I used</P><P class="x_MsoNormal">&nbsp;</P><P class="x_MsoNormal">DATETIME_CONFIG=current</P><P class="x_MsoNormal">SHOULD_LINEMERGE=false</P><P class="x_MsoNormal">LINE_BREAKER=([\r\n]+)</P><P class="x_MsoNormal">NO_BINARY_CHECK=true</P><P class="x_MsoNormal">CHARSET=UTF-8</P><P class="x_MsoNormal">EVAL-_raw=replace(_raw,"\"","")</P><P class="x_MsoNormal">INDEXED_EXTRACTIONS=csv</P><P class="x_MsoNormal">KV_MODE=none</P><P class="x_MsoNormal">category=Structured</P><P class="x_MsoNormal">but, showing no events.......when I take off "DATETIME_CONFIG=current" and leave this value blank... it's showing events with error messages ("Failed to parse timestamp"). Any help will be highly appreciated.&nbsp;</P><P class="x_MsoNormal">&nbsp;</P> Thu, 15 Jul 2021 21:28:39 GMT https://community.splunk.com/t5/Splunk-Search/Prop-Conf-for-CSV-input-data/m-p/559714#M159015 SplunkDash 2021-07-15T21:28:39Z https://community.splunk.com/t5/Splunk-Search/Prop-Conf-for-CSV-input-data/m-p/559716#M159016 <P>Where are you putting this? Also, why are you doing replacements on _raw?</P> Thu, 15 Jul 2021 21:49:23 GMT https://community.splunk.com/t5/Splunk-Search/Prop-Conf-for-CSV-input-data/m-p/559716#M159016 codebuilder 2021-07-15T21:49:23Z https://community.splunk.com/t5/Splunk-Search/Prop-Conf-for-CSV-input-data/m-p/559717#M159017 <P>_raw&nbsp; just generated automatically from the system when I pull the source file&nbsp; through SPLUNK web console to test my PROPS. It doesn't make any differences if I take off take option</P> Thu, 15 Jul 2021 21:54:47 GMT https://community.splunk.com/t5/Splunk-Search/Prop-Conf-for-CSV-input-data/m-p/559717#M159017 SplunkDash 2021-07-15T21:54:47Z https://community.splunk.com/t5/Splunk-Search/Prop-Conf-for-CSV-input-data/m-p/559718#M159018 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/234909">@SplunkDash</a>&nbsp;</P><P>can you try this and deploy it to UF not on HF/intermediate forwarder. Restart UF.</P><P>&nbsp;</P><LI-CODE lang="markup">## props.conf [your_sourcetype] HEADER_FIELD_LINE_NUMBER = 1 INDEXED_EXTRACTIONS = CSV DATETIME_CONFIG = CURRENT</LI-CODE><P>&nbsp;</P><P>--</P><P>An upvote would be appreciated and Accept the solution if this reply helps!</P> Thu, 15 Jul 2021 23:33:39 GMT https://community.splunk.com/t5/Splunk-Search/Prop-Conf-for-CSV-input-data/m-p/559718#M159018 venkatasri 2021-07-15T23:33:39Z