Getting Data In

CSV files with scientific notation fields

external_alien_
Explorer

I have a folder monitored by Splunk where CSV files are uploaded and sucked into Splunk. Splunk reads them no sweat and I can work with the data, the only problem is that the numerical values in the CSV files are all in Scientific notation and look for example like “2.7584000000000e+04” instead of simply “27584”. Splunk interprets them as numerical (not string) and I can fix this at search time with a few evals, but I have to do it for every search and was wondering if there's no way to fix this before the CSV files are indexed in Splunk? Say via editing props.conf?

Any help is much appreciated 😃

woodcock
Esteemed Legend

You can setup your eval statements as calculated fields using the EVAL- syntax here:

http://docs.splunk.com/Documentation/Splunk/6.4.2/Admin/Propsconf

0 Karma

external_alien_
Explorer

But doesn't that mean I have to know all the field names beforehand? Seeing as I have a large number of fields with values in scientific notation this is unfeasible, not to mention that field names may vary 😃
Is it theoretically possible to identify all values that contain say "e+" and rework them as plain decimal?

0 Karma

woodcock
Esteemed Legend

In that case, you need to create a macro using foreach and then use it whenever you need it. That is the best that you can do. Unfortunately, you cannot make the macro call automatic.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...