Getting Data In

How to extract csv files with common fields in the header?

VatsalJagani
SplunkTrust
SplunkTrust

Below is my CSV file format.

 

 

Time Span:,Full Time-span
Rate:,Cumulative
Scope:,Net
This is Table Header
Field1,Field2,Field3,Field4
Total1,/,1.20%,2.34%,N/A
Total2,/Total2,1.20%,2.05%,N/A
Total3,/Total/Total3,1.20%,N/A,N/A
Effect4,/Total/Total4,0.00%,N/A,N/A

 

  • Here first 3 lines are common fields and values.
  • 4th line is the table header (willing to extract that as a field as well if possible)
  • The rest is the actual CSV file, I would like to extract it as field value pairs.

 

Labels (3)
0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

To do that you'll have to write a scripted input that parses the CSV and copies the common fields to each line in the file.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

0 Karma

richgalloway
SplunkTrust
SplunkTrust

What have you tried so far?  Have you tried something like this in props.conf?

[mysourcetype]
INDEXED_EXTRACTIONS = csv
HEADER_FIELD_LINE_NUMBER = 4
DATETIME_CONFIG = current
---
If this reply helps you, Karma would be appreciated.

VatsalJagani
SplunkTrust
SplunkTrust

@richgalloway - This is helpful. Thanks!!!

But I would like to include common fields from the header to all the events, not sure if that is possible.

 

0 Karma

richgalloway
SplunkTrust
SplunkTrust

To do that you'll have to write a scripted input that parses the CSV and copies the common fields to each line in the file.

---
If this reply helps you, Karma would be appreciated.
0 Karma

VatsalJagani
SplunkTrust
SplunkTrust

Yes, Python script is always an option, but I was wondering if it is possible without that. Something like KV_MODE=multi

0 Karma

richgalloway
SplunkTrust
SplunkTrust

There is no setting that does what you desire.  KV_MODE = multi extracts fields from table-formatted data.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...