Solved: Re: CSV imports, headers as fields?

mcrawford44 · ‎12-13-2013

All,

I have been following this documentation;
http://docs.splunk.com/Documentation/Splunk/6.0/Data/Extractfieldsfromfileheadersatindextime

No combination of props.conf settings appears to be working. Here is the data template of the file I am attempting to bring in;

Header1|Header2|Header3|Header4    
DataA|DataB|DataC|DataD

My assumed props.conf;

[SourceTypeName]
FIELD_DELIMITER=|
NO_BINARY_CHECK=1
SHOULD_LINEMERGE=false

Any ideas? I can edit the props.conf during the data add "wizard" and it updates the local conf file appropriately, however each event is still shown as a single line without field information;

Can't post images so replace the 'xx' with 'tt'; hxxp://i.imgur.com/vAKOJFY.png

ShaneNewman · ‎12-15-2013

[SourceTypeName]
FIELD_DELIMITER = "|"
CHECK_FOR_HEADER = true
HEADER_MODE = firstline

View solution in original post

ogdin · ‎02-13-2014

You don't want to use CHECK_FOR_HEADER in combination with indexed extractions. CHECK_FOR_HEADER is a deprecated technique we used for search-time field extractions.

In props.conf, use:

FIELD_DELIMITER=| HEADER_FIELD_DELIMITER=| INDEXED_EXTRACTIONS=psv

mcrawford44 · ‎12-16-2013

The quotes worked. -_-
Thanks!

ShaneNewman · ‎12-15-2013

[SourceTypeName]
FIELD_DELIMITER = "|"
CHECK_FOR_HEADER = true
HEADER_MODE = firstline

mcrawford44 · ‎12-16-2013

The quotes worked. -_-
Thanks!

lukejadamec · ‎12-13-2013

Have you tried quotes around the pipe? "|"

CSV imports, headers as fields?

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases