Dashboards & Visualizations
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

CSV Field Extraction

teco_akelly
Engager
‎02-11-2021 01:07 PM

I've got a non-standard CSV log file that has no headers. Depending on the first field of each line determines what number and order of the fields are behind it. How can I have splunk assign field names to the data depending on the first field in a given row?

An example would be:

Operation Record,Timestamp,Tagname,Decription,Station

Alarm Confirm,Timestamp,Tagname,Station,Severity,

Process Alarm,Timestamp,Tagname,Description,Value

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎02-18-2021 11:31 AM

Many of us like regex101.com for help writing and testing regular expressions.

I think you'll need a transform for each type of records in the CSV file.  The transforms would look something like this.

[parseOperation]
REGEX = Operation Record,([^,]+),([^,]+),([^,]+),([^,]+)
FORMAT = Timestamp::$1 Tagname::$2 Description::$3 Station::$4

[parseAlarm]
REGEX = Alarm Confirm,([^,]+),([^,]+),([^,]+),([^,]+)
FORMAT = Timestamp::$1 Tagname::$2 Station::$3 Severity::$4

[parseProcess]
REGEX = Process Alarm,([^,]+),([^,]+),([^,]+),([^,]+)
FORMAT = Timestamp::$1 Tagname::$2 Description::$3 Value::$4

Then a props.conf attribute would reference the transforms.

[mysourcetype]
TRANSFORMS-parsers = parseOperation, parseAlarm, parseProcess

See the Admin Manual for more information about transforms.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎02-12-2021 06:44 AM

That's not a true CSV file, even though the values are separated by commas.

I would try using transforms with REGEX to parse those rows.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

teco_akelly
Engager
‎02-18-2021 07:33 AM

Do you know if there are any tools out there or someone I can get to assist in writing this if I provide the csv? I am completely unfamiliar with transforms and REGEX.

0 Karma
Reply
Get Updates on the Splunk Community!

Data Management Digest – November 2025

  Welcome to the inaugural edition of Data Management Digest! As your trusted partner in data innovation, the ...

Splunk Mobile: Your Brand-New Home Screen

Meet Your New Mobile Hub  Hello Splunk Community!  Staying connected to your data—no matter where you are—is ...

Introducing Value Insights (Beta): Understand the Business Impact your organization ...

Real progress on your strategic priorities starts with knowing the business outcomes your teams are delivering ...