Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Index csv files with grouped fields?

kjell_ml
New Member
‎08-13-2020 04:59 AM

Hi

I'm using Universal forwarder and trying to consume a complex csv file. Usually this works OK by configuring props.conf correctly on the forwarder. However, this CSV file is quite complex, with many Grouped Field. "{ }" to be used for encapsulating outer most list and "[]" for internal lists.
Every internal list within {} or [] will be comma separated.

Is this possible to achieve? I mean to get the naming of the header fields correct? 

Since the header fields will change depending on which groups or lists have data.

I have a good documentation of the csv file format, but haven't found any ways to make props.conf handle these grouped fields and lists.....

Labels (1)
Labels
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎08-13-2020 06:21 AM
Example data would be helpful, but I suspect the file is more complex than Splunk can handle. Splunk expects all CSV rows to have the same set of fields.
Consider creating a scripted input to ingest that file.
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

kjell_ml
New Member
‎08-13-2020 06:36 AM

Hi

 

Here's an example, I have anonymized the data and broken it up on separate lines where the internal groups and lists occur: (Inside the [] brackets there can be data or not, depending on type of transactions. This is what messes up the header_field naming)

0-0-9-1,64,xxx.xxx.x.x,28fa2342-5b1b-4605-b178-f2ec2b0b5327,20200813151737.417061,ff-14f-3fffffff-00152,,,
{REGISTER,,3600,0,
[sip:+4700000000@xxx.xxxxxx.xxxxxx.xxx.xxxxxxxxxxx.xxx],
[sip:+4700000000@xxx.xxxxx.xxxxxx.xxx.xxxxxxxxxxx.xxx,tel:+4700000000],
sip:+4700000000@xxx.xxxxxx.xxxxxx.xxx.xxxxxxxxxxx.xxx,
[],
20200813151737.417083,417,20200813151742.479075,479,,0,-1,xxxx-x-xxxxx-xxx;xxxxx-xxxx-xx-xxxx=xxxxxxxxxxxxxxxx,0,xxxxxxx.xxx,,0,
[],
,
[
[255.671.3043243843-1293344657.140,Ioi1,12345,]
]},
{[0,0,,0,0,0,0,xxxx-x-xxxxx-xxx,0],
},
{1,0,,0,0,0,false},
,,,,,,,,,,,,,
{[3,2,20200813151737.419758,REGISTER,0,xx.xx.x.xx,xxx.xxx.x.xx],
[3,2,20200813151742.434086,REGISTER,0,xxx.xxx.xx.xxx,xxx.xxx.xx.xxx],
[3,2,20200813151742.467122,200,0,xxx.xxx.xx.xxx,xxx.xxx.xx.xxx],
[3,2,20200813151742.478905,200,0,xxx.xxx.xx.xxx,xx.xx.x.xx]}\x00

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Mile High Learning with Splunk University, Denver, Colorado

If Denver is known for its mile-high elevation, Splunk University is about to raise the bar on technical ...

IT Service Intelligence 5.0 Series: Your Guide to the June Launch

We are excited to announce the June release of Splunk IT Service Intelligence (ITSI) 5.0. This update ...

Agent Mode Engaged! Enchaining Agentic Operations with Splunk AI Assistant 2.0

    Are you ready to transform how your team handles complex data requests? We invite you to our upcoming ...