Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

CSV imports, headers as fields?

mcrawford44
Communicator
‎12-13-2013 06:42 AM

All,

I have been following this documentation;
http://docs.splunk.com/Documentation/Splunk/6.0/Data/Extractfieldsfromfileheadersatindextime

No combination of props.conf settings appears to be working. Here is the data template of the file I am attempting to bring in;

Header1|Header2|Header3|Header4    
DataA|DataB|DataC|DataD

My assumed props.conf;

[SourceTypeName]
FIELD_DELIMITER=|
NO_BINARY_CHECK=1
SHOULD_LINEMERGE=false

Any ideas? I can edit the props.conf during the data add "wizard" and it updates the local conf file appropriately, however each event is still shown as a single line without field information;

Can't post images so replace the 'xx' with 'tt'; hxxp://i.imgur.com/vAKOJFY.png

Reply
1 Solution
Solved! Jump to solution
Solution

ShaneNewman
Motivator
‎12-15-2013 08:14 AM 
[SourceTypeName]
FIELD_DELIMITER = "|"
CHECK_FOR_HEADER = true
HEADER_MODE = firstline

View solution in original post

Reply
Solved! Jump to solution

ogdin
Splunk Employee
Splunk Employee
‎02-13-2014 07:56 AM

You don't want to use CHECK_FOR_HEADER in combination with indexed extractions. CHECK_FOR_HEADER is a deprecated technique we used for search-time field extractions.

In props.conf, use:


FIELD_DELIMITER=|
HEADER_FIELD_DELIMITER=|
INDEXED_EXTRACTIONS=psv

0 Karma
Reply
Solved! Jump to solution

mcrawford44
Communicator
‎12-16-2013 07:42 AM

The quotes worked. -_-
Thanks!

0 Karma
Reply
Solved! Jump to solution
Solution

ShaneNewman
Motivator
‎12-15-2013 08:14 AM 
[SourceTypeName]
FIELD_DELIMITER = "|"
CHECK_FOR_HEADER = true
HEADER_MODE = firstline
Reply
Solved! Jump to solution

mcrawford44
Communicator
‎12-16-2013 07:42 AM

The quotes worked. -_-
Thanks!

0 Karma
Reply
Solved! Jump to solution

lukejadamec
Super Champion
‎12-13-2013 07:03 AM

Have you tried quotes around the pipe? "|"

Reply
Get Updates on the Splunk Community!

Operationalizing TDIR: Building a More Resilient, Scalable SOC

Optimizing SOC workflows with a unified, risk-based approach to Threat Detection, Investigation, and Response ...

Almost Too Eventful Assurance: Part 1

Modern IT and Network teams still struggle with too many alerts and isolating issues before they are notified. ...

Demo Day: Strengthen Your SOC with Splunk Enterprise Security 8.1

Today’s threat landscape is more complex than ever. Security operation centers (SOCs) are overwhelmed with ...