Getting Data In

CSV imports, headers as fields?

mcrawford44
Communicator

All,

I have been following this documentation;
http://docs.splunk.com/Documentation/Splunk/6.0/Data/Extractfieldsfromfileheadersatindextime

No combination of props.conf settings appears to be working. Here is the data template of the file I am attempting to bring in;

Header1|Header2|Header3|Header4    
DataA|DataB|DataC|DataD

My assumed props.conf;

[SourceTypeName]
FIELD_DELIMITER=|
NO_BINARY_CHECK=1
SHOULD_LINEMERGE=false

Any ideas? I can edit the props.conf during the data add "wizard" and it updates the local conf file appropriately, however each event is still shown as a single line without field information;

Can't post images so replace the 'xx' with 'tt'; hxxp://i.imgur.com/vAKOJFY.png

1 Solution

ShaneNewman
Motivator
[SourceTypeName]
FIELD_DELIMITER = "|"
CHECK_FOR_HEADER = true
HEADER_MODE = firstline

View solution in original post

ogdin
Splunk Employee
Splunk Employee

You don't want to use CHECK_FOR_HEADER in combination with indexed extractions. CHECK_FOR_HEADER is a deprecated technique we used for search-time field extractions.

In props.conf, use:


FIELD_DELIMITER=|
HEADER_FIELD_DELIMITER=|
INDEXED_EXTRACTIONS=psv

0 Karma

mcrawford44
Communicator

The quotes worked. -_-
Thanks!

0 Karma

ShaneNewman
Motivator
[SourceTypeName]
FIELD_DELIMITER = "|"
CHECK_FOR_HEADER = true
HEADER_MODE = firstline

mcrawford44
Communicator

The quotes worked. -_-
Thanks!

0 Karma

lukejadamec
Super Champion

Have you tried quotes around the pipe? "|"

Get Updates on the Splunk Community!

Operationalizing TDIR: Building a More Resilient, Scalable SOC

Optimizing SOC workflows with a unified, risk-based approach to Threat Detection, Investigation, and Response ...

Almost Too Eventful Assurance: Part 1

Modern IT and Network teams still struggle with too many alerts and isolating issues before they are notified. ...

Demo Day: Strengthen Your SOC with Splunk Enterprise Security 8.1

Today’s threat landscape is more complex than ever. Security operation centers (SOCs) are overwhelmed with ...