https://community.splunk.com/t5/Splunk-Search/Why-are-fields-not-extracted-at-index-time-pulling-a-CSV-file/m-p/181517#M52310 <P>By default, [source::] and [] stanzas match in a case-sensitive manner,<BR /> while [host::] stanzas match in a case-insensitive manner. This is a convenient default,<BR /> given that DNS names are case-insensitive.</P> Mon, 12 Jan 2015 15:04:36 GMT jayannah 2015-01-12T15:04:36Z https://community.splunk.com/t5/Splunk-Search/Why-are-fields-not-extracted-at-index-time-pulling-a-CSV-file/m-p/181516#M52309 <P>I’m trying to pull a CSV file into Splunk with the fields extracted at index-time. My environment consist of multiple indexers with a master node, single search head, and a forwarder where the CSV file is at.<BR /> On the master and all the indexers is a props.conf:</P> <PRE><CODE>[CSVData] FIELD_NAMES = “Field1”, “Field2”, “Field3”, “Field4”, “Field5”, “Field6”, “Field7”, “Field8” FIELD_DELIMITER = "," INDEXED_EXTRACTIONS = csv CHECK_FOR_HEADER = false KV_MODE = none NO_BINARY_CHECK = false SHOULD_LINEMERGE = false TIMESTAMP_FIELDS = TIMESTAMP pulldown_type = true </CODE></PRE> <P>On the forwarder I have an inputs.conf:</P> <PRE><CODE>[batch://C:\CSV] disabled = 0 move_policy = sinkhole followTail = 0 index = csvindex sourcetype = csvdata </CODE></PRE> <P>The data is picked up and indexed. However when I search for the data in the index the fields are not extracted. All of the CSV data is just a ‘glob’ in the event. The props.conf above is an example of the CSV fields. The actual CSV has 34 columns in it, the props.conf includes all of them on my servers. Not all rows have data in each column.</P> <P>The props.conf works when I try to input data manually from the web interface (time and fields are extracted properly) and this similar setup works in a single node test environment. I suspect I’m missing a piece to the configuration in the multi-node environment I’m in now.</P> Mon, 12 Jan 2015 14:44:34 GMT https://community.splunk.com/t5/Splunk-Search/Why-are-fields-not-extracted-at-index-time-pulling-a-CSV-file/m-p/181516#M52309 dw385 2015-01-12T14:44:34Z https://community.splunk.com/t5/Splunk-Search/Why-are-fields-not-extracted-at-index-time-pulling-a-CSV-file/m-p/181517#M52310 <P>By default, [source::] and [] stanzas match in a case-sensitive manner,<BR /> while [host::] stanzas match in a case-insensitive manner. This is a convenient default,<BR /> given that DNS names are case-insensitive.</P> Mon, 12 Jan 2015 15:04:36 GMT https://community.splunk.com/t5/Splunk-Search/Why-are-fields-not-extracted-at-index-time-pulling-a-CSV-file/m-p/181517#M52310 jayannah 2015-01-12T15:04:36Z https://community.splunk.com/t5/Splunk-Search/Why-are-fields-not-extracted-at-index-time-pulling-a-CSV-file/m-p/181518#M52311 <P>Error on my part in trying to sanitize the post. The actual inputs.conf has <CODE>sourcetype = CSVData</CODE>, matching the props.conf.</P> Mon, 12 Jan 2015 15:34:36 GMT https://community.splunk.com/t5/Splunk-Search/Why-are-fields-not-extracted-at-index-time-pulling-a-CSV-file/m-p/181518#M52311 dw385 2015-01-12T15:34:36Z