Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How can I parse 2 sets of CSVs in one file?

hylam
Contributor
‎10-26-2015 04:02 AM

How could I parse this?

section1String
field1,field2,field3
value1,value2,value3
value1,value2,value3
value1,value2,value3
section2String
field4,field5,field6,field7
value4,value5,value6,value7
value4,value5,value6,value7
value4,value5,value6,value7

The number of value lines is unknown. Please handle 4 cases
a) The header lines are known strings
b) The header lines satisfy a regex
c) The header lines are 1 line below a known string
d) The header lines are 1 line below a string satisfying a regex

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎10-26-2015 09:17 AM

Like this:

| inputcsv TwoInOne.csv | rex "(?<filebreaker>SomRegExHere)" | streamstats current=t count(filebreaker) AS fileID | where fileID=0 outputcsv FirstHalf.csv
| inputcsv TwoInOne.csv | rex "(?<filebreaker>SomRegExHere)" | streamstats current=t count(filebreaker) AS fileID | where fileID=1 outputcsv SecondHalf.csv

| inputcsv FirstHalf.csv | append [|inputcsv SecondHalf.csv]

Note that this approach should work for any number of concatenated files, provided that filebreaker is the same.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎10-26-2015 09:17 AM

Like this:

| inputcsv TwoInOne.csv | rex "(?<filebreaker>SomRegExHere)" | streamstats current=t count(filebreaker) AS fileID | where fileID=0 outputcsv FirstHalf.csv
| inputcsv TwoInOne.csv | rex "(?<filebreaker>SomRegExHere)" | streamstats current=t count(filebreaker) AS fileID | where fileID=1 outputcsv SecondHalf.csv

| inputcsv FirstHalf.csv | append [|inputcsv SecondHalf.csv]

Note that this approach should work for any number of concatenated files, provided that filebreaker is the same.

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎10-26-2015 08:27 AM

Like this:

| inputcsv TwoInOne.csv | head 4 | outputcsv FirstHalf.csv
| inputcsv TwoInOne.csv | tail 4 | outputcsv SecondHalf.csv

| inputcsv FirstHalf.csv | append [|inputcsv SecondHalf.csv]
Reply
Solved! Jump to solution

hylam
Contributor
‎10-26-2015 08:39 AM

your suggestion should work on fixed number of lines. i have edited the question. thx

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎10-26-2015 09:11 AM

The best thing to do is split the file on the outside of splunk.

0 Karma
Reply
Solved! Jump to solution

hylam
Contributor
‎10-26-2015 09:15 AM

Are there any line numbers in splunk? Can a splunk search grep for "field[1-3]" and "field[4-7]" and expand a subsearch to "4"?

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎10-26-2015 09:24 AM

There is an internal field called _serial which is a line-number. I will think more about this approach if my other answer does not work (let me know with followup comments).

0 Karma
Reply
Solved! Jump to solution

hylam
Contributor
‎10-26-2015 08:35 AM

plz see edit1

0 Karma
Reply
Get Updates on the Splunk Community!

🌟 From Audit Chaos to Clarity: Welcoming Audit Trail v2

&#x1f5e3; You Spoke, We Listened Audit Trail v2 wasn’t written in isolation—it was shaped by your voices. In ...

Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...

 Prepare to elevate your security operations with the powerful upgrade to Splunk Enterprise Security 8.x! This ...

Get Early Access to AI Playbook Authoring: Apply for the Alpha Private Preview ...

Passionate about security automation? Apply now to our AI Playbook Authoring Alpha private preview ...