All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

S3 bucket with CSV files not extracting fields at index time

ShaneNewman
Motivator
‎08-21-2019 02:35 PM

We have a S3 bucket containing many csv files, each with different header fields that need to be extracted at index time. The current configs in place for this is:

[aws:s3:csv]
DATETIME_CONFIG = CURRENT
MAX_TIMESTAMP_LOOKAHEAD = 1
KV_MODE = auto
SHOULD_LINEMERGE = false
HEADER_FIELD_LINE_NUMBER = 1
TRUNCATE = 999999
INDEXED_EXTRACTIONS = csv

This is on the heavy forwarder server that has the AWS add-on installed (latest version) in addition to being on the indexers. I have downloaded a sample csv file from S3 and imported it into Splunk via the UI and it parses correctly, yet it does not when setting this up via the Splunk_TA_aws app (UI or file) to use S3.

It seems that the AWS add on is causing it to ignore the HEADER_FIELD_LINE_NUMBER = 1 and INDEXED_EXTRACTIONS = csv setting entirely. Is anyone else seeing this, does anyone have a solution? Search time extractions are not an option here due to the fields changing frequently.

Reply

pgadhari
Builder
‎12-23-2020 09:43 AM

@ShaneNewman .. were you able to resolve this issue ? I am also getting same issues ? Please let me know..

 

Regards

PG

0 Karma
Reply

Sukisen1981
Champion
‎08-21-2019 10:54 PM

you uploaded the CSV using the UI , right? Can you compare the stanzas in the .conf files for the UI input vis a vis the AWS input? there might be some differences.
Several users have reported changing the sourcetype name [aws:s3:csv] sometimes cause an issue, once some of them reverted back to using just [aws:s3] thngs started wokring
can you try the compare and tinker with the sourcetype

0 Karma
Reply

jdunlea1
Explorer
‎05-04-2020 05:09 AM

@ShaneNewman Did you get a resolution to this? I am seeing the same thing myself when I run a "Generic S3" input for a custom input for CSV files in an S3 bucket.

The header lines keep getting indexed and the fields are not extracted when I search the data.

0 Karma
Reply

tjohnson341
Explorer
‎05-05-2021 08:28 AM

I know it has been a while but did anyone ever get this issue resolved? On the newest version of the AWS Add-On and still unable to figure out reading in data from CSV files with field extractions.

Tags (1)
0 Karma
Reply
Get Updates on the Splunk Community!

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

New Release | Splunk Cloud Platform 10.1.2507

Hello Splunk Community!We are thrilled to announce the General Availability of Splunk Cloud Platform 10.1.2507 ...

🌟 From Audit Chaos to Clarity: Welcoming Audit Trail v2

🗣 You Spoke, We Listened  Audit Trail v2 wasn’t written in isolation—it was shaped by your voices.  In ...