Solved: Use headers as fields for CSV imports on splunk cl...

pelican · ‎01-27-2024

Hi, i'm using the splunk cloud platform for a school project. When I import my csv files into splunk, it doesn't seem to recognise the headers of my csv as a field. Does anyone know how to get splunk to recognise my headers? thanks for any help

tscroggins · ‎01-27-2024

Hi @pelican,

As a quick and dirty solution, you can select "csv" in the "Source type:" drop-down on the Set Source Type page of the Add Data process. This will tell Splunk to read field names from the first line of the file and index subsequent lines using the header fields as indexed field extractions.

After the file is indexed, you can search for it in the default index using:

sourcetype=csv

If you specified a non-default index, add the index to the search:

index=homework sourcetype=csv

View solution in original post

tscroggins · ‎01-27-2024

Hi @pelican,

As a quick and dirty solution, you can select "csv" in the "Source type:" drop-down on the Set Source Type page of the Add Data process. This will tell Splunk to read field names from the first line of the file and index subsequent lines using the header fields as indexed field extractions.

After the file is indexed, you can search for it in the default index using:

sourcetype=csv

If you specified a non-default index, add the index to the search:

index=homework sourcetype=csv

pelican · ‎01-27-2024

Thank you so much, I've spent at least 10 hours on this

Use headers as fields for CSV imports on splunk cloud platform

CSV

Harnessing Splunk’s Federated Search for Amazon S3

Infographic provides the TL;DR for the 2024 Splunk Career Impact Report

Enterprise Security Content Update (ESCU) | New Releases