Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How can I parse 2 sets of CSVs in one file?

hylam
Contributor
‎10-26-2015 04:02 AM

How could I parse this?

section1String
field1,field2,field3
value1,value2,value3
value1,value2,value3
value1,value2,value3
section2String
field4,field5,field6,field7
value4,value5,value6,value7
value4,value5,value6,value7
value4,value5,value6,value7

The number of value lines is unknown. Please handle 4 cases
a) The header lines are known strings
b) The header lines satisfy a regex
c) The header lines are 1 line below a known string
d) The header lines are 1 line below a string satisfying a regex

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎10-26-2015 09:17 AM

Like this:

| inputcsv TwoInOne.csv | rex "(?<filebreaker>SomRegExHere)" | streamstats current=t count(filebreaker) AS fileID | where fileID=0 outputcsv FirstHalf.csv
| inputcsv TwoInOne.csv | rex "(?<filebreaker>SomRegExHere)" | streamstats current=t count(filebreaker) AS fileID | where fileID=1 outputcsv SecondHalf.csv

| inputcsv FirstHalf.csv | append [|inputcsv SecondHalf.csv]

Note that this approach should work for any number of concatenated files, provided that filebreaker is the same.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎10-26-2015 09:17 AM

Like this:

| inputcsv TwoInOne.csv | rex "(?<filebreaker>SomRegExHere)" | streamstats current=t count(filebreaker) AS fileID | where fileID=0 outputcsv FirstHalf.csv
| inputcsv TwoInOne.csv | rex "(?<filebreaker>SomRegExHere)" | streamstats current=t count(filebreaker) AS fileID | where fileID=1 outputcsv SecondHalf.csv

| inputcsv FirstHalf.csv | append [|inputcsv SecondHalf.csv]

Note that this approach should work for any number of concatenated files, provided that filebreaker is the same.

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎10-26-2015 08:27 AM

Like this:

| inputcsv TwoInOne.csv | head 4 | outputcsv FirstHalf.csv
| inputcsv TwoInOne.csv | tail 4 | outputcsv SecondHalf.csv

| inputcsv FirstHalf.csv | append [|inputcsv SecondHalf.csv]
Reply
Solved! Jump to solution

hylam
Contributor
‎10-26-2015 08:39 AM

your suggestion should work on fixed number of lines. i have edited the question. thx

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎10-26-2015 09:11 AM

The best thing to do is split the file on the outside of splunk.

0 Karma
Reply
Solved! Jump to solution

hylam
Contributor
‎10-26-2015 09:15 AM

Are there any line numbers in splunk? Can a splunk search grep for "field[1-3]" and "field[4-7]" and expand a subsearch to "4"?

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎10-26-2015 09:24 AM

There is an internal field called _serial which is a line-number. I will think more about this approach if my other answer does not work (let me know with followup comments).

0 Karma
Reply
Solved! Jump to solution

hylam
Contributor
‎10-26-2015 08:35 AM

plz see edit1

0 Karma
Reply
Register for .conf25!
Get Updates on the Splunk Community!

Pro Tips for First-Time .conf Attendees: Advice from SplunkTrust

Heading to your first .Conf? You’re in for an unforgettable ride — learning, networking, swag collecting, ...

Raise Your Skills at the .conf25 Builder Bar: Your Splunk Developer Destination

Calling all Splunk developers, custom SPL builders, dashboarders, and Splunkbase app creators – the Builder ...

Hunt Smarter, Not Harder: Discover New SPL “Recipes” in Our Threat Hunting Webinar

Are you ready to take your threat hunting skills to the next level? As Splunk community members, you know the ...
Top