Solved: Populate header as field in each row in CSV file - Splunk Community

Getting Data In

Hi,

I want to index a csv file, the data looks like

"ID","Name","hiredate"
"1","John","01-12-2014"
"2","Bob","01-12-2014"
"3","Mary","01-12-2014"

When the data is indexed i want to see the data like:

ID=1,Name=John,hiredate=01-12-2014
ID=2,Name=Bob,hiredate=01-12-2014
ID=3,Name=Mary,hiredate=01-12-2014

Is there a way to this, currntly the data in index looks like

1,John,01-12-2014

2,Bob,01-12-2014

3,Mary,01-12-2014

Thanks

1 Solution

Solution

No but I assume you want the "=" in the event to make search-time auto key-value extraction work. Use this instead:

http://docs.splunk.com/Documentation/Splunk/latest/Data/Extractfieldsfromfileheadersatindextime

Put this in props.conf

INDEXED_EXTRACTIONS=CSV

Then in the Splunk Search field picker you will see:

And you can show the fields in the events if you want:

View solution in original post

Solution

No but I assume you want the "=" in the event to make search-time auto key-value extraction work. Use this instead:

http://docs.splunk.com/Documentation/Splunk/latest/Data/Extractfieldsfromfileheadersatindextime

Put this in props.conf

INDEXED_EXTRACTIONS=CSV

Then in the Splunk Search field picker you will see:

And you can show the fields in the events if you want:

Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open! conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor. HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members! The ...