Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

CSV report not showing data correctly

Shashank_87
Explorer
‎02-13-2020 09:05 AM

alt textHi, I have a daily scheduled report which goes to sftp server in a csv format. I am getting complaints that the data is not coming properly. I investigated and suspect that it may be because of the multi valued fields in the table but I am not sure. In Splunk it shows something like I have attached and in the CSV which is delivered on the server it is seen something like this very weird with column name deviceDescription

app,"serviceName","2020-02-12 23:34:01","2020-02-12 23:34:01",34567,ANA,C,,51228586,"HD BOX (CISCO),,,,,,,,,,,,
TIVO 500GB BOX (CISCO),,,,,,,,,,,,,,,,,,,,,,
TIVO 1TB BOX (ARRIS),,,,,,,,,,,,,,,,,,,,,,
TIVO 1TB BOX (ARRIS)",456,Agent,,,,5678997,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,

Total columns in the table is 23 but it seems in CSV they are more than 23 commas coming.

Any help is appreciated.alt text

Preview file
52 KB
Preview file
47 KB
0 Karma
Reply

to4kawa
Ultra Champion
‎02-15-2020 03:34 AM 
index=temp_prd serviceName source=tomcat.txt 
| rex field=_raw "deviceDescription\>(?<deviceDescription>.*?)\<\/" max_match=20 
| rex field=_raw "requestTimestamp\>(?<requestTimestamp>.*?)\<\/" 
| dedup requestID
| fields - _*
| table originatorURI, activityname requestTimestamp,responseTimestamp,AccountNumber,ref,Channel,Code,accountDiagnosticsSummary,diagnosticIdentifier,deviceDescription 
| eval deviceDescription = mvjoin(deviceDescription,"|")

hi, @Shashank_87
how about this?

0 Karma
Reply

Shashank_87
Explorer
‎02-18-2020 07:01 AM

@to4kawa It worked like charm. Thanks. 🙂

0 Karma
Reply

Shashank_87
Explorer
‎02-25-2020 09:23 AM

@to4kawa Hi, it is still not working. So the issue is when sending this file to server using SFTP, it's not in the proper format. There are extra commas coming in multiple rows don't know for what reason.

Even if i export that from Splunk and open the file in Notepad++, it shows incorrectly. Attached are the 2 files - one from server and one directly from Splunk.

The data in both of these attached file should be coming as one row but they are going to next line and the server file have extra commas for no reason.

Please help.

0 Karma
Reply

to4kawa
Ultra Champion
‎02-25-2020 11:54 AM

add at last:

....
| fields - _*
0 Karma
Reply

vikramyadav
Contributor
‎02-13-2020 09:32 AM

Is it possible for you to share a query for a better understanding?

0 Karma
Reply

Shashank_87
Explorer
‎02-13-2020 10:07 AM

@vikramyadav There is nothing much in the search. There are few fields which I am extracting are multi valued like deviceDescription. I am trying to combine it's values by using mv command but not sure if it's working. Not sure what is causing that issue on csv

index=temp_prd serviceName source=tomcat.txt
| rex field=_raw "deviceDescription>(?[^<\/]+)" max_match=20
| rex field=_raw "requestTimestamp>(?[^<\/]+)"
| eval requestTimestam=strptime('requestTimestamp',"%Y-%m-%dT%H:%M:%S")
| eval requestTimestamp=strftime('requestTimestam',"%Y-%m-%d %H:%M:%S")
| dedup requestID
| table originatorURI, activityname requestTimestamp,responseTimestamp,AccountNumber,ref,Channel,Code,accountDiagnosticsSummary,diagnosticIdentifier,deviceDescription
| makemv delim="|" deviceDescription

0 Karma
Reply
Get Updates on the Splunk Community!

Strengthen Your Future: A Look Back at Splunk 10 Innovations and .conf25 Highlights!

The Big One: Splunk 10 is Here!  The moment many of you have been waiting for has arrived! We are thrilled to ...

Now Offering the AI Assistant Usage Dashboard in Cloud Monitoring Console

Today, we’re excited to announce the release of a brand new AI assistant usage dashboard in Cloud Monitoring ...

Stay Connected: Your Guide to October Tech Talks, Office Hours, and Webinars!

What are Community Office Hours? Community Office Hours is an interactive 60-minute Zoom series where ...