https://community.splunk.com/t5/Splunk-Search/CSV-empty-quoted-field-extraction-problem/m-p/493472#M194405 <P>Hi there,</P> <P>I have the next CSV file:</P> <P>"CLM_TIMESTAMP","CLM_DATE","CLM_NUMBER"<BR /> "1569301200","24/09/2019 00:00:00","389721519283162"<BR /> "1569301400","24/09/2019 00:00:00",""<BR /> "1569301600","24/09/2019 00:00:00",""</P> <P>When forwarded to index, the CLM_NUMBER "" then appears indexed as 'CLM_NUMBER = ' so if you look at statistics it says that 100% of events has the field, however, I only want to have the field in those cases where it really appears, and to consider empty double quotes to null.</P> <P>Any idea to solve this problem? </P> <P>I have tried to apply SEDCMD commands to the source and change the _raw but even if I change the whole _raw to "I have changed the raw", all of the fields of the csv still remains with the values that contains in the csv.</P> Wed, 30 Sep 2020 02:23:49 GMT cajose3pepe 2020-09-30T02:23:49Z https://community.splunk.com/t5/Splunk-Search/CSV-empty-quoted-field-extraction-problem/m-p/493472#M194405 <P>Hi there,</P> <P>I have the next CSV file:</P> <P>"CLM_TIMESTAMP","CLM_DATE","CLM_NUMBER"<BR /> "1569301200","24/09/2019 00:00:00","389721519283162"<BR /> "1569301400","24/09/2019 00:00:00",""<BR /> "1569301600","24/09/2019 00:00:00",""</P> <P>When forwarded to index, the CLM_NUMBER "" then appears indexed as 'CLM_NUMBER = ' so if you look at statistics it says that 100% of events has the field, however, I only want to have the field in those cases where it really appears, and to consider empty double quotes to null.</P> <P>Any idea to solve this problem? </P> <P>I have tried to apply SEDCMD commands to the source and change the _raw but even if I change the whole _raw to "I have changed the raw", all of the fields of the csv still remains with the values that contains in the csv.</P> Wed, 30 Sep 2020 02:23:49 GMT https://community.splunk.com/t5/Splunk-Search/CSV-empty-quoted-field-extraction-problem/m-p/493472#M194405 cajose3pepe 2020-09-30T02:23:49Z https://community.splunk.com/t5/Splunk-Search/CSV-empty-quoted-field-extraction-problem/m-p/493473#M194406 <P>Hi<BR /> try something like this:</P> <PRE><CODE>| makeresults | eval CLM_TIMESTAMP="1569301200", CLM_DATE="24/09/2019 00:00:00", CLM_NUMBER="389721519283162" | append [ | makeresults | eval CLM_TIMESTAMP="1569301400", CLM_DATE="24/09/2019 00:00:00", CLM_NUMBER="" ] | append [ | makeresults | eval CLM_TIMESTAMP="1569301600", CLM_DATE="24/09/2019 00:00:00", CLM_NUMBER="" ] | eval CLM_NUMBER=if(tonumber(CLM_NUMBER)&gt;0,CLM_NUMBER,NULL) | stats count BY CLM_NUMBER </CODE></PRE> <P>Bye.<BR /> Giuseppe</P> Mon, 07 Oct 2019 12:56:54 GMT https://community.splunk.com/t5/Splunk-Search/CSV-empty-quoted-field-extraction-problem/m-p/493473#M194406 gcusello 2019-10-07T12:56:54Z https://community.splunk.com/t5/Splunk-Search/CSV-empty-quoted-field-extraction-problem/m-p/493474#M194407 <P>Many thanks for your answer Giuseppe. I forgot to mention that I need it at index time. </P> Mon, 07 Oct 2019 15:35:16 GMT https://community.splunk.com/t5/Splunk-Search/CSV-empty-quoted-field-extraction-problem/m-p/493474#M194407 cajose3pepe 2019-10-07T15:35:16Z https://community.splunk.com/t5/Splunk-Search/CSV-empty-quoted-field-extraction-problem/m-p/493475#M194408 <P>I have found a "solution" that fits for me:</P> <P><STRONG>PROPS.CONF</STRONG><BR /> [my_sourcetype]<BR /> CHARSET = ISO-8859-1<BR /> TZ = America/Sao_Paulo<BR /> TIME_PREFIX = \" # Line to get first field as timestamp<BR /> TIME_FORMAT=%s<BR /> MAX_TIMESTAMP_LOOKAHEAD=10<BR /> SHOULD_LINEMERGE = false<BR /> disabled = false<BR /> pulldown_type = true<BR /> KV_MODE = none<BR /> NO_BINARY_CHECK = true<BR /> PREAMBLE_REGEX = .<EM>CLM_NUMBER" #Line to avoid header indexing<BR /> SEDCMD-changeeventformat1 = s/(\"[^\"]</EM>\"),(\"[^\"]<EM>\"),(\"[^\"]</EM>\")/clm_timestamp=\1 clm_date=\2 clm_number=\3/g<BR /> SEDCMD-changeeventformat2 = s/ \w+=\"\"//g #This line deletes empty fields</P> <P>Not a beautiful solution but after hours of tries is the only solution I have found.</P> <P>Hope is helpful for others.</P> Wed, 30 Sep 2020 02:24:05 GMT https://community.splunk.com/t5/Splunk-Search/CSV-empty-quoted-field-extraction-problem/m-p/493475#M194408 cajose3pepe 2020-09-30T02:24:05Z