Re: CSV files with scientific notation fields

external_alien_ · ‎07-22-2016

I have a folder monitored by Splunk where CSV files are uploaded and sucked into Splunk. Splunk reads them no sweat and I can work with the data, the only problem is that the numerical values in the CSV files are all in Scientific notation and look for example like “2.7584000000000e+04” instead of simply “27584”. Splunk interprets them as numerical (not string) and I can fix this at search time with a few evals, but I have to do it for every search and was wondering if there's no way to fix this before the CSV files are indexed in Splunk? Say via editing props.conf?

Any help is much appreciated 😃

woodcock · ‎07-22-2016

You can setup your eval statements as calculated fields using the EVAL- syntax here:

http://docs.splunk.com/Documentation/Splunk/6.4.2/Admin/Propsconf

external_alien_ · ‎07-22-2016

But doesn't that mean I have to know all the field names beforehand? Seeing as I have a large number of fields with values in scientific notation this is unfeasible, not to mention that field names may vary 😃
Is it theoretically possible to identify all values that contain say "e+" and rework them as plain decimal?

woodcock · ‎07-22-2016

In that case, you need to create a macro using foreach and then use it whenever you need it. That is the best that you can do. Unfortunately, you cannot make the macro call automatic.

CSV files with scientific notation fields

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

Splunk Community Badges!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Join the Conversation