How to extract fields from CSV

Naga · ‎09-30-2021

I have a CSV file for ingestion like this. This needs to be monitored via inputs. I dont want to use INDEXED_EXTRACTION= CSV here. Without this I am able to get the feed in successfully. But not able to extract the fields I wanted

File sample

"NAME","AGE","GENDER"

"John","32","MALE"

"ROSE","23","FEMALE"

#props

[mysourcetype]
FIELD_DELIMITER = ,
FIELD_NAMES="NAME","AGE","GENDER"

HEADER_FIELD_LINE_NUMBER=1
HEADER_FIELD_DELIMITER = ,
FIELD_QUOTE = "
HEADER_FIELD_QUOTE = "
DATETIME_CONFIG = CURRENT
SHOULD_LINEMERGE=false
NO_BINARY_CHECK=true

No luck. Any ideas?

somesoni2 · ‎09-30-2021

If you're trying to do search time field extraction for CSV fields, give solution from this post a try:

https://community.splunk.com/t5/Getting-Data-In/splunk-field-extraction-csv/m-p/29894

isoutamo · ‎09-30-2021

You should drop FIELD_NAMES as you have already those names in your CSV file and pointed those with HEADER_FIELD_LINE_NUMBER

Naga · ‎09-30-2021

Thank you @isoutamo . I tried the same Removed FIELD_NAMES And tried as well. But no luck 😞

How to extract fields from CSV

CSV

props.conf

universal forwarder

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...

AppDynamics is now part of Splunk Ideas

Advanced Splunk Data Management Strategies