Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

CSV report not showing data correctly

Shashank_87
Explorer
‎02-13-2020 09:05 AM

alt textHi, I have a daily scheduled report which goes to sftp server in a csv format. I am getting complaints that the data is not coming properly. I investigated and suspect that it may be because of the multi valued fields in the table but I am not sure. In Splunk it shows something like I have attached and in the CSV which is delivered on the server it is seen something like this very weird with column name deviceDescription

app,"serviceName","2020-02-12 23:34:01","2020-02-12 23:34:01",34567,ANA,C,,51228586,"HD BOX (CISCO),,,,,,,,,,,,
TIVO 500GB BOX (CISCO),,,,,,,,,,,,,,,,,,,,,,
TIVO 1TB BOX (ARRIS),,,,,,,,,,,,,,,,,,,,,,
TIVO 1TB BOX (ARRIS)",456,Agent,,,,5678997,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,

Total columns in the table is 23 but it seems in CSV they are more than 23 commas coming.

Any help is appreciated.alt text

Preview file
52 KB
Preview file
47 KB
0 Karma
Reply

to4kawa
Ultra Champion
‎02-15-2020 03:34 AM 
index=temp_prd serviceName source=tomcat.txt 
| rex field=_raw "deviceDescription\>(?<deviceDescription>.*?)\<\/" max_match=20 
| rex field=_raw "requestTimestamp\>(?<requestTimestamp>.*?)\<\/" 
| dedup requestID
| fields - _*
| table originatorURI, activityname requestTimestamp,responseTimestamp,AccountNumber,ref,Channel,Code,accountDiagnosticsSummary,diagnosticIdentifier,deviceDescription 
| eval deviceDescription = mvjoin(deviceDescription,"|")

hi, @Shashank_87
how about this?

0 Karma
Reply

Shashank_87
Explorer
‎02-18-2020 07:01 AM

@to4kawa It worked like charm. Thanks. 🙂

0 Karma
Reply

Shashank_87
Explorer
‎02-25-2020 09:23 AM

@to4kawa Hi, it is still not working. So the issue is when sending this file to server using SFTP, it's not in the proper format. There are extra commas coming in multiple rows don't know for what reason.

Even if i export that from Splunk and open the file in Notepad++, it shows incorrectly. Attached are the 2 files - one from server and one directly from Splunk.

The data in both of these attached file should be coming as one row but they are going to next line and the server file have extra commas for no reason.

Please help.

0 Karma
Reply

to4kawa
Ultra Champion
‎02-25-2020 11:54 AM

add at last:

....
| fields - _*
0 Karma
Reply

vikramyadav
Contributor
‎02-13-2020 09:32 AM

Is it possible for you to share a query for a better understanding?

0 Karma
Reply

Shashank_87
Explorer
‎02-13-2020 10:07 AM

@vikramyadav There is nothing much in the search. There are few fields which I am extracting are multi valued like deviceDescription. I am trying to combine it's values by using mv command but not sure if it's working. Not sure what is causing that issue on csv

index=temp_prd serviceName source=tomcat.txt
| rex field=_raw "deviceDescription>(?[^<\/]+)" max_match=20
| rex field=_raw "requestTimestamp>(?[^<\/]+)"
| eval requestTimestam=strptime('requestTimestamp',"%Y-%m-%dT%H:%M:%S")
| eval requestTimestamp=strftime('requestTimestam',"%Y-%m-%d %H:%M:%S")
| dedup requestID
| table originatorURI, activityname requestTimestamp,responseTimestamp,AccountNumber,ref,Channel,Code,accountDiagnosticsSummary,diagnosticIdentifier,deviceDescription
| makemv delim="|" deviceDescription

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...