Solved: Populate header as field in each row in CSV file - Splunk Community

Getting Data In

Hi,

I want to index a csv file, the data looks like

"ID","Name","hiredate"
"1","John","01-12-2014"
"2","Bob","01-12-2014"
"3","Mary","01-12-2014"

When the data is indexed i want to see the data like:

ID=1,Name=John,hiredate=01-12-2014
ID=2,Name=Bob,hiredate=01-12-2014
ID=3,Name=Mary,hiredate=01-12-2014

Is there a way to this, currntly the data in index looks like

1,John,01-12-2014

2,Bob,01-12-2014

3,Mary,01-12-2014

Thanks

1 Solution

Solution

No but I assume you want the "=" in the event to make search-time auto key-value extraction work. Use this instead:

http://docs.splunk.com/Documentation/Splunk/latest/Data/Extractfieldsfromfileheadersatindextime

Put this in props.conf

INDEXED_EXTRACTIONS=CSV

Then in the Splunk Search field picker you will see:

And you can show the fields in the events if you want:

View solution in original post

Solution

No but I assume you want the "=" in the event to make search-time auto key-value extraction work. Use this instead:

http://docs.splunk.com/Documentation/Splunk/latest/Data/Extractfieldsfromfileheadersatindextime

Put this in props.conf

INDEXED_EXTRACTIONS=CSV

Then in the Splunk Search field picker you will see:

And you can show the fields in the events if you want:

Get Updates on the Splunk Community!

Splunk Observability Synthetic Monitoring - Resolved Incident on Detector Alerts

We’ve discovered a bug that affected the auto-clear of Synthetic Detectors in the Splunk Synthetic Monitoring ...

Video | Tom’s Smartness Journey Continues

Remember Splunk Community member Tom Kopchak? If you caught the first episode of our Smartness interview ...

3-2-1 Go! How Fast Can You Debug Microservices with Observability Cloud?

3-2-1 Go! How Fast Can You Debug Microservices with Observability Cloud? Learn how unique features like ...