Knowledge Management
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

how to index a csv file which is not in a correct format

benazir
Explorer
‎12-15-2017 06:28 AM

Hi ,
Here is my scenario,
I have to index the below csv file, where the format looks like this , confused with the props file, kindly need your advice .

"RowID      session_id  ObjName   ProcStartTime             Days          [Duration in milliseconds]                  sql_command             sql_text     wait_info   blocking_session_id    blocked_session_count                  physical_io                  phyiscal_reads            query_plan                  open_tran_count                  percent_complete      start_time"
"15428778 1206          InsertsettlemerchantAll2              2017-12-13 14:02:00.913              00              116                                                (9ms)WRITELOG                           0                                                     8                                                     1                                  2017-12-13 14:02:10.953"
"15428787 1308          InsertPendingTrans     2017-12-13 14:02:10.953              00              46                                  (9ms)WRITELOG                           0                                                     8                                                     1                                  2017-12-13 14:02:10.953"

Each Row id : eg : 15428778 , 15428787 should index as a single event from the log file . is it possible ?

Tags (1)
0 Karma
Reply

woodcock
Esteemed Legend
‎12-16-2017 03:23 PM

Whenever I have trash files, I write a parser in Perl, setup a cron job to look for incoming files, fix them, then write the repaired files to where Splunk is looking for them. Then I have a 2x4 talk with the developers.

0 Karma
Reply

DalJeanis
Legend
‎12-15-2017 12:14 PM

Looks like either it is a physical report, or perhaps a tab delimited file that you have copied from a screen. You need to verify the underlying layout by editing the file in a very basic editor like notepad. Is it tabs between the fields, or a collection of spaces?

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎12-15-2017 11:36 AM

What you have is not a CSV file. Is every row enclosed in quotes? Are the field separated by spaces, tabs, or something else?
I looks like this will be a custom sourcetype.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...

Updated Team Landing Page in Splunk Observability

We’re making some changes to the team landing page in Splunk Observability, based on your feedback. The ...

New! Splunk Observability Search Enhancements for Splunk APM Services/Traces and ...

Regardless of where you are in Splunk Observability, you can search for relevant APM targets including service ...