Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

FIELD_NAMES for Missing Headers of CSV

emccaslin
Path Finder
‎12-11-2013 12:45 PM

I have a comma separated csv file with missing headers. From the props.conf.spec below it has the configuration setting in your props.conf file:


FIELD_NAMES = [ <string>,..., <string>]
* Some CSV and structured files might have missing headers. This attribute tells Splunk to specify the header field names directly.

My problem is I have been unable to get this to work. I push this into the props.conf file and when the logs are indexed I cannot find the field names.

Example csv file looks like this:



1,2,3,4,5

6,7,8,9,10

The headers should be a,b,c,d,e, so what should I set FIELD_NAMES equal to?

FIELD_NAMES = [a,b,c,d,e]
or
FIELD_NAMES = ["a","b","c","d","e"]
or
FIELD_NAMES = [<a>,<b>,<c>,<d>,<e>]
or
FIELD_NAMES = [<"a">,<"b">,<"c">,<"d">,<"e">]

or some other variation? I tried running btool check on my configurations but it doesn't reject what I have tried.

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

dmaislin_splunk
Splunk Employee
Splunk Employee
‎12-19-2013 11:51 AM

Here is what you need to have:

Some data in a log file:

place1,41.66164,-87.74477
place2,41.66587,-86.894357
place3,41.72614,-85.97314

inputs.conf - Ensure you set a sourcetype

[monitor:///Users/splunker/Desktop/places.log]
sourcetype=geo

props.conf - Referencing the sourcetype

[geo]
SHOULD_LINEMERGE = false
FIELD_NAMES = location,latitude,longitude

alt text

View solution in original post

Reply
Solved! Jump to solution
Solution

dmaislin_splunk
Splunk Employee
Splunk Employee
‎12-19-2013 11:51 AM

Here is what you need to have:

Some data in a log file:

place1,41.66164,-87.74477
place2,41.66587,-86.894357
place3,41.72614,-85.97314

inputs.conf - Ensure you set a sourcetype

[monitor:///Users/splunker/Desktop/places.log]
sourcetype=geo

props.conf - Referencing the sourcetype

[geo]
SHOULD_LINEMERGE = false
FIELD_NAMES = location,latitude,longitude

alt text

Reply
Solved! Jump to solution

dmaislin_splunk
Splunk Employee
Splunk Employee
‎12-19-2013 01:58 PM

Please Accept the answer by selecting the check box next to my answer! Thanks!

0 Karma
Reply
Solved! Jump to solution

emccaslin
Path Finder
‎12-19-2013 01:31 PM

Thank you!

0 Karma
Reply
Solved! Jump to solution

emccaslin
Path Finder
‎12-19-2013 11:09 AM

My data is not enclosed in brackets, and removing the brackets from FIELD_NAMES did not work. Now I am just adding a field extraction and field transformation post-processing to deal with this issue.

0 Karma
Reply
Solved! Jump to solution

lukejadamec
Super Champion
‎12-11-2013 12:59 PM

Try removing the brackets:

FIELD_NAMES = "a","b","c","d","e"

Is your data enclosed in brackets?

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

Hello Splunkers,  We’re excited to kick off a Splunk Dashboard contest! We know that dashboards are a primary ...

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...