Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to extract csv files with common fields in the header?

VatsalJagani
SplunkTrust
SplunkTrust
‎05-08-2023 05:43 AM

Below is my CSV file format.

 

 

Time Span:,Full Time-span
Rate:,Cumulative
Scope:,Net
This is Table Header
Field1,Field2,Field3,Field4
Total1,/,1.20%,2.34%,N/A
Total2,/Total2,1.20%,2.05%,N/A
Total3,/Total/Total3,1.20%,N/A,N/A
Effect4,/Total/Total4,0.00%,N/A,N/A

 

  • Here first 3 lines are common fields and values.
  • 4th line is the table header (willing to extract that as a field as well if possible)
  • The rest is the actual CSV file, I would like to extract it as field value pairs.

 

Labels (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎05-08-2023 09:52 AM

To do that you'll have to write a scripted input that parses the CSV and copies the common fields to each line in the file.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎05-08-2023 06:55 AM

What have you tried so far?  Have you tried something like this in props.conf?

[mysourcetype]
INDEXED_EXTRACTIONS = csv
HEADER_FIELD_LINE_NUMBER = 4
DATETIME_CONFIG = current
---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

VatsalJagani
SplunkTrust
SplunkTrust
‎05-08-2023 09:42 AM

@richgalloway - This is helpful. Thanks!!!

But I would like to include common fields from the header to all the events, not sure if that is possible.

 

0 Karma
Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎05-08-2023 09:52 AM

To do that you'll have to write a scripted input that parses the CSV and copies the common fields to each line in the file.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

VatsalJagani
SplunkTrust
SplunkTrust
‎05-08-2023 09:27 PM

Yes, Python script is always an option, but I was wondering if it is possible without that. Something like KV_MODE=multi

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎05-09-2023 05:43 AM

There is no setting that does what you desire.  KV_MODE = multi extracts fields from table-formatted data.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Dashboards: Hiding charts while search is being executed and other uses for tokens

There are a couple of features of SimpleXML / Classic dashboards that can be used to enhance the user ...

Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...

This is the fourth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how ...

Brains, Bytes, and Boston: Learn from the Best at .conf25

When you think of Boston, you might picture colonial charm, world-class universities, or even the crack of a ...