I'm using this app but whenever I import a CSV it seems to lose the values from the last column e.g.
EventValueFilter,Duration,Earliest,Limit
"EVENTA","1000"," ","| head 5 "
"EVENTB","2000"," ","| head 5 "
"EVENTC","3000"," ","| head 5 "
And when i use the app:
| importutil http http://mysite/mycsv.csv
| multikv
| table EventValueFilter, Duration, Earliest, Limit
It returns the values for the first three fields but no values for Limit. If I add an extra dummy value to each row it will return the values for Limit but not for the new column.
Splunk is running on Windows server 2003 R2, version 4.2.3, build 105575.
Screenshot of CSV file
Screenshot of splunk
paddy, The scenario you described works for me. I was able to read in and display all fields from a csv file that looks like
EventValueFilter,Duration,Earliest,Limit
"EVENTA","1000"," ","| head 5 "
"EVENTB","2000"," ","| head 5 "
"EVENTC","3000"," ","| head 5 "
I've only tested on a Mac, but it should work for splunk running on unix and windows. What OS are you running on? What version of splunk? Can you send a screen shot of the output you are seeing?
Regarding the map issue. I'm not sure I understand the question. Can you explain in more detail.
I've emailed on the details as requested.
I've tested with a similar file on windows 7 with splunk 4.2.3 and it appears to work. One other question. What version of importutil are you using? 1.0 beta1 (i.e. the latest version)? If not try downloading the latest version and reinstalling. Assuming you are using the latest, can you try executing importutil from the command line:
cd %SPLUNK_HOME%\etc\apps\importutil\bin
%SPLUNK_HOME%\bin\splunk cmd python importutil.py http http://yourhost/your.csv
Email the results to splunk@ngsoft.org. Also, would you mind sending me a copy of the csv file.
paddy, The scenario you described works for me. I was able to read in and display all fields from a csv file that looks like
EventValueFilter,Duration,Earliest,Limit
"EVENTA","1000"," ","| head 5 "
"EVENTB","2000"," ","| head 5 "
"EVENTC","3000"," ","| head 5 "
I've only tested on a Mac, but it should work for splunk running on unix and windows. What OS are you running on? What version of splunk? Can you send a screen shot of the output you are seeing?
Regarding the map issue. I'm not sure I understand the question. Can you explain in more detail.
On the map issue discussed above, when I run a map command after the initial importutl code it doesn't seem to pick up the values. e.g.
| importutil format=splunk http http://mysite/mycsv.csv
| multikv
| table EventValueFilter, Duration, Earliest, Limit
| map [search source=MySource $EventValueFilter$ $Limit$
| stats avg(Timing) as Timing by TransactionName
| where Timing >= $Duration$] maxsearches=99
| fields TransactionName, Timing
It returns 9 rows with no values for either TransactionName or Timing shown. The initial import CSV contains 9 records.
Thanks for your help on the import issue here
I've edited my response above for the first issue.
Regarding the map issue, I meant that when I added in an additional value for each row in the CSV and Splunk was pulling out the four values correctly, if I then added the map command above to iterate over each line it didn't seem to evaluate the parameters out. For example, values for both $EventValueFilter$ and $Limit$ were empty for each row. I will get screenshots and add
Also, when I do add the dummy field to get all the values I need out, I am unable to use this with the map command. e.g.
| map [search source=MySource $EventValueFilter$ $Limit$ | stats avg(Timing) as Timing by TransactionName | where Timing >= $Duration$] maxsearches=99
It fails to bind the values from the CSV file to parameters in the sub-query for the map command.