Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- My CSV headers are not extracting properly in splu...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
My CSV headers are not extracting properly in splunk , Should be extracted into intresting feilds.What changes should i do to my props.conf
I see my csv log files headers showing as events and i would like have them in interesting fields extracted automatically.
CSV header ex: MMR,CLLL,city,Date,Time,Message,Status
props.conf
[XYZ]
INDEXED_EXTRACTIONS = csv
NO_BINARY_CHECK = true
SHOULD_LINEMERGE = false
disabled = false
DATETIME_CONFIG = CURRENT
I have three diff source types where i need to apply similar conf to have the headers extracted .Please help and let me know if you need any further information.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try this in props.conf ON YOUR FORWARDER NODE and restart after deployment:
CSV header ex: MMR,CLLL,city,Date,Time,Message,Status
[XYZ]
INDEXED_EXTRACTIONS = CSV
TIMESTAMP_FIELDS = Date, Time
TIME_FORMAT = <Put Your Custom Stuff Here>
Note that only events forwarded AFTER the splunkd restart on the forwarder AFTER a correct configuration is deployed will have the field extractions present. Also be sure to set search mode to verbose.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks Woodcock . I'm doing props.conf changes at indexer level as of now . I'll try it at forwarder node.
I've a question , does manual field extraction effect my CSV data in near feature . The user wants to have the fields extracted automatically not through manual extraction?
Appreciate your answers.
Thanks
guru.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
There are only 2 important "things" with fields: index-time vs. search-time. The former allows the use of tstats and other benefits for speed but takes up much more space. The rest of the decisions are mostly just packaging variations and don't really effect performance. By "manual" you are going the search-time route; you can easily repackage this to be automatic at search-time.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Would like to extract CSV headers as fields rather than doing manual field extraction
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Splunk Community Badges!
How to find the worst searches in your Splunk environment and how to fix them
Share Your Feedback: On Admin Config Service (ACS)!
