https://community.splunk.com/t5/Splunk-Search/Select-only-some-fields-from-csv-to-index/m-p/489457#M194070 <P>Hi all,<BR /> I'm in enviroment so configured:</P> <P>1 uf, 1 hf, 4 indexers, 1 search head, 1 master cluster.</P> <P>I've to index a large CSV, read from the universal forwarder, which forwards data to the HF which pass the data to the indexer.</P> <P>The CSV has 150 fields and I want to index only 10 of these. So I've configured these things:</P> <P>on <STRONG>universal forwarder</STRONG>: </P> <H1>------------------</H1> <P>inputs.conf </P> <H1>------------------</H1> <P>[monitor:///myfolder/Interface*]<BR /> disabled = 0<BR /> index = interface_metrics<BR /> sourcetype = if_csv</P> <P>on <STRONG>heavy forwarder</STRONG></P> <H1>------------------</H1> <P>inputs.conf</P> <H1>------------------</H1> <P>[splunktcp://9996]<BR /> index=interface_metrics<BR /> sourcetype = if_csv</P> <H1>------------------</H1> <P>props.conf</P> <H1>------------------</H1> <P>[if_csv]<BR /> INDEXED_EXTRACTIONS = CSV<BR /> HEADER_FIELD_LINE_NUMBER=1<BR /> HEADER_FIELD_DELIMITER =,<BR /> FIELD_DELIMITER=,<BR /> HEADER_FIELD_LINE_NUMBER = 0<BR /> TRANSFORMS-set=setnull, setparsing, nullhead</P> <H1>------------------</H1> <P>transforms.conf</P> <H1>------------------</H1> <P>[setnull]<BR /> REGEX = .<BR /> DEST_KEY = queue<BR /> FORMAT = nullQueue</P> <P>[nullhead]<BR /> REGEX = ifInDiscardsDelta<BR /> DEST_KEY = queue<BR /> FORMAT = nullQueue</P> <P>[setparsing]<BR /> REGEX = ^([^,]<EM>),([^,]</EM>),(?:[^,]+,\s*)([^,]<EM>),([^,]</EM>)(?:[^,]+,\s*){5}([^,]<EM>),([^,]</EM>)(?:[^,]+,\s*){3}([^,]<EM>),([^,]</EM>),(?:[^,]+,\s*){2}([^,]<EM>),([^,]</EM>)(?:[^,]+,\s*){7}([^,]<EM>)(?:(?:[^,]+,?\s</EM>)|(?:[,,])){123}([^,]<EM>),([^,]</EM>)<BR /> DEST_KEY = queue<BR /> FORMAT = indexQueue</P> <P><STRONG>example CSV row :</STRONG><BR /> 0ef1fa5f-586c-48a4-a902-827aef967f47,1569309580446,300.0,100,9,0,0,0,0,6.6107712E7,5.0463189E7,151356.0,150857.0,0.176,0.135,0.0,0.0,0.0,0.0,0,0,0,0,0,0,4b16e13e-c391-4626-b364-2890fe5a009a,0,0,0,0,,,151351,149267,0,0,451,5,1139,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,039550ed-1d39-487f-9b12-276ad9472771,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,3.0,3.0,,,0.056,3.4E-4,0.2,3.0,3.0,,,0.056,3.4E-4,0.2,1569309300000,300</P> <P>I want to keep the fields:<BR /> 1,2,4,5,10,11,14,15,26,149,150</P> <P>I don't succeed in indexing only the fields that I choose, but the whole row.</P> <P>What I'm wrong ?</P> <P>Thanks <BR /> Fabrizio</P> Wed, 30 Sep 2020 02:20:03 GMT fabrizioalleva 2020-09-30T02:20:03Z https://community.splunk.com/t5/Splunk-Search/Select-only-some-fields-from-csv-to-index/m-p/489457#M194070 <P>Hi all,<BR /> I'm in enviroment so configured:</P> <P>1 uf, 1 hf, 4 indexers, 1 search head, 1 master cluster.</P> <P>I've to index a large CSV, read from the universal forwarder, which forwards data to the HF which pass the data to the indexer.</P> <P>The CSV has 150 fields and I want to index only 10 of these. So I've configured these things:</P> <P>on <STRONG>universal forwarder</STRONG>: </P> <H1>------------------</H1> <P>inputs.conf </P> <H1>------------------</H1> <P>[monitor:///myfolder/Interface*]<BR /> disabled = 0<BR /> index = interface_metrics<BR /> sourcetype = if_csv</P> <P>on <STRONG>heavy forwarder</STRONG></P> <H1>------------------</H1> <P>inputs.conf</P> <H1>------------------</H1> <P>[splunktcp://9996]<BR /> index=interface_metrics<BR /> sourcetype = if_csv</P> <H1>------------------</H1> <P>props.conf</P> <H1>------------------</H1> <P>[if_csv]<BR /> INDEXED_EXTRACTIONS = CSV<BR /> HEADER_FIELD_LINE_NUMBER=1<BR /> HEADER_FIELD_DELIMITER =,<BR /> FIELD_DELIMITER=,<BR /> HEADER_FIELD_LINE_NUMBER = 0<BR /> TRANSFORMS-set=setnull, setparsing, nullhead</P> <H1>------------------</H1> <P>transforms.conf</P> <H1>------------------</H1> <P>[setnull]<BR /> REGEX = .<BR /> DEST_KEY = queue<BR /> FORMAT = nullQueue</P> <P>[nullhead]<BR /> REGEX = ifInDiscardsDelta<BR /> DEST_KEY = queue<BR /> FORMAT = nullQueue</P> <P>[setparsing]<BR /> REGEX = ^([^,]<EM>),([^,]</EM>),(?:[^,]+,\s*)([^,]<EM>),([^,]</EM>)(?:[^,]+,\s*){5}([^,]<EM>),([^,]</EM>)(?:[^,]+,\s*){3}([^,]<EM>),([^,]</EM>),(?:[^,]+,\s*){2}([^,]<EM>),([^,]</EM>)(?:[^,]+,\s*){7}([^,]<EM>)(?:(?:[^,]+,?\s</EM>)|(?:[,,])){123}([^,]<EM>),([^,]</EM>)<BR /> DEST_KEY = queue<BR /> FORMAT = indexQueue</P> <P><STRONG>example CSV row :</STRONG><BR /> 0ef1fa5f-586c-48a4-a902-827aef967f47,1569309580446,300.0,100,9,0,0,0,0,6.6107712E7,5.0463189E7,151356.0,150857.0,0.176,0.135,0.0,0.0,0.0,0.0,0,0,0,0,0,0,4b16e13e-c391-4626-b364-2890fe5a009a,0,0,0,0,,,151351,149267,0,0,451,5,1139,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,039550ed-1d39-487f-9b12-276ad9472771,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,3.0,3.0,,,0.056,3.4E-4,0.2,3.0,3.0,,,0.056,3.4E-4,0.2,1569309300000,300</P> <P>I want to keep the fields:<BR /> 1,2,4,5,10,11,14,15,26,149,150</P> <P>I don't succeed in indexing only the fields that I choose, but the whole row.</P> <P>What I'm wrong ?</P> <P>Thanks <BR /> Fabrizio</P> Wed, 30 Sep 2020 02:20:03 GMT https://community.splunk.com/t5/Splunk-Search/Select-only-some-fields-from-csv-to-index/m-p/489457#M194070 fabrizioalleva 2020-09-30T02:20:03Z https://community.splunk.com/t5/Splunk-Search/Select-only-some-fields-from-csv-to-index/m-p/489458#M194071 <P>Ok,<BR /> I've solved with a SED command as </P> <P><A href="https://answers.splunk.com/answers/564940/remove-fields-at-index-time-from-a-csv-file.html">https://answers.splunk.com/answers/564940/remove-fields-at-index-time-from-a-csv-file.html</A></P> <P>But is there another way to solve it ?</P> Tue, 24 Sep 2019 12:41:50 GMT https://community.splunk.com/t5/Splunk-Search/Select-only-some-fields-from-csv-to-index/m-p/489458#M194071 fabrizioalleva 2019-09-24T12:41:50Z