topic Re: Why is my Splunk forwarder not extracting CSV file fields? in Splunk Search

Why is my Splunk forwarder not extracting CSV file fields?

606866581 — Tue, 02 Feb 2016 12:35:52 GMT

Hi,

I've configured my forwarder's /etc/system/local/props.conf as such:

[mysourcetype]
INDEXED_EXTRACTIONS=CSV
FIELD_QUOTE="
FIELD_DELIMITER=,

outputs.conf is:

[default]
host = hostname23
[monitor:///qwerty/*]
index = myindex
disabled = false
followTail = 0
sourcetype = mysourcetype

And my indexer has its props.conf as:

[mysourcetype]
INDEXED_EXTRACTIONS=CSV
FIELD_QUOTE="
FIELD_DELIMITER=,

However, the events aren't being treated as CSVs, but rather, a generic log, so my headers have appeared as an actual event.

Any help is appreciated!

Re: Why is my Splunk forwarder not extracting CSV file fields?

Jeremiah — Tue, 29 Sep 2020 08:38:01 GMT

First, we'll assume you mean inputs.conf when you specified outputs.conf above. Also, your forwarder and indexer versions need to support indexed extractions (you didn't specify the versions you are running).

Have you tried it just without the FIELD_QUOTE and FIELD_DELIMITER settings? Both the values you have there are normal values for A CSV file. If you set the FIELD_* values you might then also have to set the same values for the HEADER_FIELD_QUOTE and HEADER_FIELD_DELIMITER.

You should also set SHOULD_LINEMERGE = False since these are single-line log entries and KV_MODE = none to disable automatic search time field extraction. The KV_MODE value should also go on your search head, or else you may see duplicate fields (both the index-time extracted field and the search time extracted fields).

Re: Why is my Splunk forwarder not extracting CSV file fields?

606866581 — Tue, 02 Feb 2016 15:54:42 GMT

The forwarder was running 4.2. Doh!
I've upgraded it and the problem is resolved. Thanks