All Apps and Add-ons

How to create field extractions for dynamic csv files from headers that change with each file

OMohi
Path Finder

Hi:

How do I create a field based on header on a csv file. The header is different for each file that I am trying to index.

So far I have done the following on props.conf but with no success:

[sourcetype]
SHOULD_LINEMERGE = False
pulldown_type = true
INDEXED_EXTRACTIONS = csv
CHECK_FOR_HEADER = true
KV_MODE = none
category = Structured

Is there something that I am missing.

Please let me know.

Thanks,

Mohammed Mohiuddin

1 Solution

woodcock
Esteemed Legend

You need to put this file on all the forwarders that are sending this data and YES, even though they are NOT Heavy Forwarders. Then restart each Splunk instance on the forwarders.

View solution in original post

woodcock
Esteemed Legend

You need to put this file on all the forwarders that are sending this data and YES, even though they are NOT Heavy Forwarders. Then restart each Splunk instance on the forwarders.

OMohi
Path Finder

Thanks Woodcock,

Your suggestion worked.

0 Karma

MuS
SplunkTrust
SplunkTrust

And here is the reason why it needs to be on the universal forwarder:

When you forward structured data to an indexer, Splunk Enterprise does not parse this data once it arrives at the indexer, even if you have configured props.conf on that indexer with INDEXED_EXTRACTIONS.

http://docs.splunk.com/Documentation/Splunk/6.2.4/Forwarding/Routeandfilterdatad#Caveats_for_routing...

0 Karma
*NEW* Splunk Love Promo!
Snag a $25 Visa Gift Card for Giving Your Review!

It's another Splunk Love Special! For a limited time, you can review one of our select Splunk products through Gartner Peer Insights and receive a $25 Visa gift card!

Review:





Or Learn More in Our Blog >>