https://community.splunk.com/t5/Splunk-Search/Why-am-I-unable-to-extract-all-fields-from-a-CSV-log-in-Splunk-6/m-p/263951#M79224 <P>You did not mention <CODE>props.conf</CODE> in your question so we had to guess. That is why it is important to clearly spell out what you have done so far. No, <CODE>max_match</CODE> is not part of the <CODE>props.conf</CODE> way of extracting fields. I will post another answer.</P> Wed, 30 Mar 2016 03:02:56 GMT woodcock 2016-03-30T03:02:56Z https://community.splunk.com/t5/Splunk-Search/Why-am-I-unable-to-extract-all-fields-from-a-CSV-log-in-Splunk-6/m-p/263944#M79217 <P>I'm trying to extract fields from a basic .csv log with no luck. </P> <P>Here is the file how it looks in Splunk 6.2.5.. <BR /> <span class="lia-inline-image-display-wrapper" image-alt="alt text"><img src="https://community.splunk.com/t5/image/serverpage/image-id/1178iBE0D6A503965907C/image-size/large?v=v2&amp;px=999" role="button" title="alt text" alt="alt text" /></span></P> <P>When I try to configure a field extraction, Splunk only recognizes the very first instance....<BR /> <span class="lia-inline-image-display-wrapper" image-alt="alt text"><img src="https://community.splunk.com/t5/image/serverpage/image-id/1179iED9C9497FA5B7CAB/image-size/large?v=v2&amp;px=999" role="button" title="alt text" alt="alt text" /></span></P> <P>Any help would be greatly appreciated - thanks!</P> Tue, 29 Mar 2016 18:40:45 GMT https://community.splunk.com/t5/Splunk-Search/Why-am-I-unable-to-extract-all-fields-from-a-CSV-log-in-Splunk-6/m-p/263944#M79217 dcascione 2016-03-29T18:40:45Z https://community.splunk.com/t5/Splunk-Search/Why-am-I-unable-to-extract-all-fields-from-a-CSV-log-in-Splunk-6/m-p/263945#M79218 <P>I assume you are using <CODE>rex</CODE> so you need to use the <CODE>max_match=0</CODE> option.</P> Tue, 29 Mar 2016 19:25:21 GMT https://community.splunk.com/t5/Splunk-Search/Why-am-I-unable-to-extract-all-fields-from-a-CSV-log-in-Splunk-6/m-p/263945#M79218 woodcock 2016-03-29T19:25:21Z https://community.splunk.com/t5/Splunk-Search/Why-am-I-unable-to-extract-all-fields-from-a-CSV-log-in-Splunk-6/m-p/263946#M79219 <P>The data is being loaded into a single event. </P> <P>Should it break thusly?<BR /> 3/29/2016,APC-DEV,-,0,0,0,0<BR /> 3/29/2016,MPC-TEMP,0,3,03</P> <P>If that's so, please let me know... </P> Tue, 29 Mar 2016 19:30:22 GMT https://community.splunk.com/t5/Splunk-Search/Why-am-I-unable-to-extract-all-fields-from-a-CSV-log-in-Splunk-6/m-p/263946#M79219 cpraznowski_spl 2016-03-29T19:30:22Z https://community.splunk.com/t5/Splunk-Search/Why-am-I-unable-to-extract-all-fields-from-a-CSV-log-in-Splunk-6/m-p/263947#M79220 <P>Yes, This is how I would like to see the log file break....</P> Tue, 29 Mar 2016 19:38:34 GMT https://community.splunk.com/t5/Splunk-Search/Why-am-I-unable-to-extract-all-fields-from-a-CSV-log-in-Splunk-6/m-p/263947#M79220 dcascione 2016-03-29T19:38:34Z https://community.splunk.com/t5/Splunk-Search/Why-am-I-unable-to-extract-all-fields-from-a-CSV-log-in-Splunk-6/m-p/263948#M79221 <P>Should this option be added to the props.conf located here: /opt/splunk/etc/deployment-apps/app_common/local ?</P> Tue, 29 Mar 2016 19:40:50 GMT https://community.splunk.com/t5/Splunk-Search/Why-am-I-unable-to-extract-all-fields-from-a-CSV-log-in-Splunk-6/m-p/263948#M79221 dcascione 2016-03-29T19:40:50Z https://community.splunk.com/t5/Splunk-Search/Why-am-I-unable-to-extract-all-fields-from-a-CSV-log-in-Splunk-6/m-p/263949#M79222 <P>got it....that's the problem, need to break after the carriage return. </P> <P>1) When you ingest the file, you need to create a new custom sourcetype. <BR /> 2) in $splunk/etc/apps/search/local .... you'll see that new sourcetype referenced. <BR /> 3) you need to instruct splunk to break after each line: LINE_BREAKER = ([\r\n]+)</P> <P>...or the props.conf on the deployment server should work as well....</P> <P><A href="http://docs.splunk.com/Documentation/Splunk/6.2.5/Data/Indexmulti-lineevents">http://docs.splunk.com/Documentation/Splunk/6.2.5/Data/Indexmulti-lineevents</A></P> Tue, 29 Mar 2016 19:49:06 GMT https://community.splunk.com/t5/Splunk-Search/Why-am-I-unable-to-extract-all-fields-from-a-CSV-log-in-Splunk-6/m-p/263949#M79222 cpraznowski_spl 2016-03-29T19:49:06Z https://community.splunk.com/t5/Splunk-Search/Why-am-I-unable-to-extract-all-fields-from-a-CSV-log-in-Splunk-6/m-p/263950#M79223 <P>When you go to production yes, tthe props.conf will then get sent to the forwarder that is collecting the data. </P> <P>But for now you can test in : in $splunk/etc/apps/search/local .. and local the file a local directory to test...does that make sense?</P> Tue, 29 Mar 2016 23:10:10 GMT https://community.splunk.com/t5/Splunk-Search/Why-am-I-unable-to-extract-all-fields-from-a-CSV-log-in-Splunk-6/m-p/263950#M79223 cpraznowski_spl 2016-03-29T23:10:10Z https://community.splunk.com/t5/Splunk-Search/Why-am-I-unable-to-extract-all-fields-from-a-CSV-log-in-Splunk-6/m-p/263951#M79224 <P>You did not mention <CODE>props.conf</CODE> in your question so we had to guess. That is why it is important to clearly spell out what you have done so far. No, <CODE>max_match</CODE> is not part of the <CODE>props.conf</CODE> way of extracting fields. I will post another answer.</P> Wed, 30 Mar 2016 03:02:56 GMT https://community.splunk.com/t5/Splunk-Search/Why-am-I-unable-to-extract-all-fields-from-a-CSV-log-in-Splunk-6/m-p/263951#M79224 woodcock 2016-03-30T03:02:56Z https://community.splunk.com/t5/Splunk-Search/Why-am-I-unable-to-extract-all-fields-from-a-CSV-log-in-Splunk-6/m-p/263952#M79225 <P>In <CODE>props.conf</CODE> you need <CODE>KV_MODE=multi</CODE><BR /> - Used for search-time field extractions only.<BR /> - Specifies the field/value extraction mode for the data.</P> Wed, 30 Mar 2016 03:06:14 GMT https://community.splunk.com/t5/Splunk-Search/Why-am-I-unable-to-extract-all-fields-from-a-CSV-log-in-Splunk-6/m-p/263952#M79225 woodcock 2016-03-30T03:06:14Z