I have a simple .csv log file that I'm trying to break with:
[software_summary] LINE_BREAKER = ([\r\n]+) SHOULD_LINEMERGE = false
Here is a sample of the log:
Back to Index, HOST INFORMATION, Software build-2718055,10 Software build-3116895,15 Software build-2583090,35 Software 5.5.0 build-1746974,22
The two fields I'm interested in which are comma delimited are Software Build and Count. I'd like to see each line break out into its own log file. Thanks !!
The biggest issue I see with this file is that it's poorly formatted and not truly a well-formatted CSV file. See the screenshot below of when I saved the sample text you sent, saved it as software_summary.csv and opened it in Numbers on my mac.
If you did have it as a CSV then your props.conf would also include INDEXED_EXTRACTIONS = CSV and would handle this file much easier.
If possible, can you clean that index and re-index the file after you've made that change? Can you also post the updated version of the csv file once they've changed it so we can confirm it looks correct?
Yes the source file is a .csv - I just added the csv reference to the stanza - hopefully this will work! Thanks for the tip!!
INDEXED_EXTRACTIONS = CSV
LINE_BREAKER = ([\r\n]+)
SHOULD_LINEMERGE = false
Can you also modify the first couple lines? the CSV indexed extractions work best if the first line is a header for the CSV file.
Back to Index, HOST INFORMATION,
So your CSV would look more like
software_build, count Software build-2718055,10 Software build-3116895,15 Software build-2583090,35 Software 5.5.0 build-1746974,22
HI dcascione, I think a good angle on this would be to checkout the structured data options in props described here : http://docs.splunk.com/Documentation/Splunk/6.4.1/admin/Propsconf#Structured_Data_Header_Extraction_...
Essentially you could define FIELD_NAMES config to define the software_build and count fields, and PREAMBLE_REGEX config to disregard the initial couple lines
To stick with the initial idea of breaking out the events, it seems that your config should be effective for treating each line as an event (SHOULD_LINEMERGE=false)
One issue here could be that this config is being set on a universal forwarder, which wouldn't do linebreaking. Props definitions would need to be put on the upstream HF or Indexer.
Please let me know if this answers your question!
According to the documentation, the stanza I added to the props.conf which includes (([\r\n]+), ) should break out each line into an event...Not sure why this is not working?