Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Changing CSV file header
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm working with a csv file with this header
Filenm,EIN,Status,Business Function,Maintained By, Region,Manufacturer Name,Building Name,Service Area,Model Name,Model Number,Serial Number,AM Tag Number,Equipment Type,Equipment Type Description,Network Connection Type Wired,IP Address v4 Wired,Nuvolo Flag,MAC Address Wired,Equipment Status Detail,Network Connection Type Wireless,IP Address v4 Wireless,IP Address Type Wireless,IP Address Type Wired,MAC Address Wireless,Host Name,Fully Qualified Domain Name,OS Version,Asset Type,Contains ePHI,Application Software NameWhat I would like to do is have Splunk transform to closer to Splunk field names. Such as
filenm,ein,status,business_function,maintained_by,region,manufacturer_name,building_name,service_area,model_name,model_number,serial_number,am_tag_mumber,equipment_type,equipment_type_description,network_connection_type_wired,ip_addres_v4_Wired,nuvolo_flag,mac_address_wired,equipment_status_detail,network_connection_type_wireless,ip_Address_v4_wireless,ip_address_type_wireless,ip_ddress_type_wired,mac_address_wireless,host_name,fully_qualified_domain_name,os_version,asset_type,contains_ephi,application_software_nameThe only thing I've been able to find is putting something in the TA transforms.conf like this
[edge_asset_header]
DELIMS = ","
FIELDS = "filenm","ein","status","business_function","maintained_by","region","manufacturer_name","building_name","service_area","model_name","model_number","serial_number","am_tag_mumber","equipment_type","equipment_type_description","network_connection_type_wired","ip_addres_v4_Wired","nuvolo_flag","mac_address_wired","equipment_status_detail","network_connection_type_wireless","ip_Address_v4_wireless","ip_address_type_wireless","ip_ddress_type_wired","mac_address_wireless","host_name","fully_qualified_domain_name","os_version","asset_type","contains_ephi","application_software_name"Is the only solution or did I miss something?
TIA,
Joe
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @jwhughes58,
you solution should work.
but anyway, there's also the approach that's used in normalization: create a set of aliases in yout App or TA, (not in a single search) that could be useful also wgen there are other fields named in those ways to rename.
I always normalize my field names in extraction for using also in other apps.
Ciao.
Giuseppe
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @jwhughes58,
you solution should work.
but anyway, there's also the approach that's used in normalization: create a set of aliases in yout App or TA, (not in a single search) that could be useful also wgen there are other fields named in those ways to rename.
I always normalize my field names in extraction for using also in other apps.
Ciao.
Giuseppe
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas
What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)
Automating Threat Operations and Threat Hunting with Recorded Future
