Solved: Populate header as field in each row in CSV file - Splunk Community

Getting Data In

Hi,

I want to index a csv file, the data looks like

"ID","Name","hiredate"
"1","John","01-12-2014"
"2","Bob","01-12-2014"
"3","Mary","01-12-2014"

When the data is indexed i want to see the data like:

ID=1,Name=John,hiredate=01-12-2014
ID=2,Name=Bob,hiredate=01-12-2014
ID=3,Name=Mary,hiredate=01-12-2014

Is there a way to this, currntly the data in index looks like

1,John,01-12-2014

2,Bob,01-12-2014

3,Mary,01-12-2014

Thanks

1 Solution

Solution

No but I assume you want the "=" in the event to make search-time auto key-value extraction work. Use this instead:

http://docs.splunk.com/Documentation/Splunk/latest/Data/Extractfieldsfromfileheadersatindextime

Put this in props.conf

INDEXED_EXTRACTIONS=CSV

Then in the Splunk Search field picker you will see:

And you can show the fields in the events if you want:

View solution in original post

Solution

No but I assume you want the "=" in the event to make search-time auto key-value extraction work. Use this instead:

http://docs.splunk.com/Documentation/Splunk/latest/Data/Extractfieldsfromfileheadersatindextime

Put this in props.conf

INDEXED_EXTRACTIONS=CSV

Then in the Splunk Search field picker you will see:

And you can show the fields in the events if you want:

Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now! In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...