Getting Data In

Input a CSV

ofedorov
New Member

I'm trying to index a .CSV, created by tasklist.

CVS's headers and fields never get properly recognized and it gets indexed as a whole array:

"Image Name","PID","Session Name","Session#","Mem Usage","Status","User Name","CPU Time","Window Title"

"System Idle Process","0","Services","0","24 K","Unknown","NT AUTHORITY SYSTEM","2:07:39","N/A"

"System","4","Services","0","300 K","Unknown","N/A","0:00:07","N/A" "smss.exe","344","Services","0","1,204 K","Unknown","N/A","0:00:00","N/A" "csrss.exe","448","Services","0","5,028 K","Unknown","N/A","0:00:00","N/A" "csrss.exe","504","Console","1","3,772 K","Unknown","N/A","0:00:00","N/A"

"wininit.exe","512","Services","0","4,500 K","Unknown","N/A","0:00:00","N/A"

"winlogon.exe","540","Console","1","4,476 K","Unknown","N/A","0:00:00","N/A"

"services.exe","604","Services","0","8,700 K","Unknown","N/A","0:00:02","N/A"
"lsass.exe","612","Services","0","13,624 K","Unknown","N/A","0:00:01","N/A"

"lsm.exe","620","Services","0","6,016 K","Unknown","N/A","0:00:00","N/A"


inputs.conf

[batch://$SPLUNK_HOME\TEMP]

move_policy = sinkhole

interval = 60

source = transformfile

sourcetype = transformfile

disabled = 0

props.conf

[source::TRANSFORMFILE]

CHECK__FOR _HEADER=TRUE

SHOULD _LINEMERGE = false

TRANSFORM-transformfile = phy_csv

transforms.conf

[phy_csv]

DELIMS=","

FIELDS="Image Name", "PID", "Session Name", "Session#", "Mem Usage", "Status", "User Name", "CPU Time", "Window Title"

Any help here?

Tags (3)
0 Karma

joshd
Builder

Here's your config files rewritten correcting the minor mistakes, this should work...

inputs.conf :

[batch://$SPLUNK_HOMETEMP]
move_policy = sinkhole
interval = 60
source = transformfile
sourcetype = transformfile
disabled = 0

props.conf :

[transformfile]
SHOULD_LINEMERGE = false
TRANSFORMS-transformfile = phy_csv

transforms.conf :

[phy_csv]
DELIMS=","
FIELDS="Image Name","PID","Session Name","Session#","Mem Usage","Status","User Name","CPU Time","Window Title"
0 Karma

ofedorov
New Member

Oh, no it gets indexed.
File is being pulled from TEMP folder all right, but in Splunk it appears as a single chunk of data, never been broken into a table.

0 Karma

joshd
Builder

Sorry maybe I'm misunderstanding... your file is never getting indexed to begin with? Have you tried using a monitor stanza and the crcSalt attribute?

0 Karma

ofedorov
New Member

Thanks for the hint, but that didn't work either.
With "[batch://$SPLUNK_HOMETEMP]" file never gets picked up - changed to "[batch://$SPLUNK_HOME"bkslash"TEMP]".
Output still remains the same v_v

0 Karma

joshd
Builder

in your props.conf it should be TRANSFORMS-transformfile and not TRANSFORM-transformfile and it looks like you have two underscores in the CHECK_FOR_HEADER attribute along with a space in the SHOULD_LINE_MERGE attribute

also you may wish to use the sourcetype stanza when specifying it in props.conf instead of the source stanza

0 Karma

ofedorov
New Member

I've tried both with and without it - outcome is always the same.

0 Karma

joshd
Builder

Since you're specifying your own transform have you tried it without the CHECK_FOR_HEADER attribute in the props.conf?

0 Karma

ofedorov
New Member

Thanks for the catch, mate.
But that didn't do the trick, indexed data is still in one chunk.
Maybe there is a way to strip those quote marks during .cmd output? Then the headers might get recognized properly.

0 Karma
Get Updates on the Splunk Community!

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...