Getting Data In

What is the correct parameter in props.conf for csv file ?

willmirko
New Member

Hi all, i'm pretty new here.

I need to assign a name to the fields of a .csv imported file,
but it doesn't work.
In the Props.conf File i'm using these setting:

DATETIME_CONFIG =
INDEXED_EXTRACTIONS = csv
HEADER_MODE = firstline
KV_MODE = none
NO_BINARY_CHECK = true
SHOULD_LINEMERGE = false
category = Structured
description = Comma-separated value format. Set header and other settings in "Delimited Settings"
disabled = false
pulldown_type = true
PREAMBLE_REGEX = ^\tDate
FIELD_NAMES = [ Date, Time, Cl, User Name, Terminal name, TCode, Program, Audit Log Msg Text, Long Text, Proc , WP, Data, Data, Data, Data ]

Can you help me?

thanks
Mirko

0 Karma
1 Solution

twinspop
Influencer

HEADER_MODE? I'm not familiar with it, but the docs show:

  • Determines whether to use the inline ***SPLUNK*** directive to rewrite index-time fields.

I don't think this is what you want. Instead maybe this:

HEADER_FIELD_LINE_NUMBER = <integer>

* Tells Splunk the line number of the line within the file that contains the
  header fields.  If set to 0, Splunk attempts to locate the header fields
  within the file automatically.

And if you use a header line, I don't think you want to list FIELD_NAMES.

Finally, I'd ditch the PREAMBLE_REGEX as well.

View solution in original post

0 Karma

aakwah
Builder

Hello,

The folloiwng configuration worked fine with me:

props.conf

[CSV_Sourcetype]
REPORT-main= delimExtractions
KV_MODE = none
NO_BINARY_CHECK = true
SHOULD_LINEMERGE = false
category = Structured
pulldown_type = true

transforms.conf

[delimExtractions]
DELIMS=","
FIELDS=Number_of_Events,Action_Taken,Endpoint_Name,User_Name

Regards

0 Karma

nkkn87
New Member

Where to find this props.conf and transforms.conf?

0 Karma

nkkn87
New Member

Where to edit this props.conf and transforms.conf?

0 Karma

twinspop
Influencer

HEADER_MODE? I'm not familiar with it, but the docs show:

  • Determines whether to use the inline ***SPLUNK*** directive to rewrite index-time fields.

I don't think this is what you want. Instead maybe this:

HEADER_FIELD_LINE_NUMBER = <integer>

* Tells Splunk the line number of the line within the file that contains the
  header fields.  If set to 0, Splunk attempts to locate the header fields
  within the file automatically.

And if you use a header line, I don't think you want to list FIELD_NAMES.

Finally, I'd ditch the PREAMBLE_REGEX as well.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Try removing the brackets from the FIELD_NAMES line.

---
If this reply helps you, Karma would be appreciated.
Get Updates on the Splunk Community!

Database Performance Sidebar Panel Now on APM Database Query Performance & Service ...

We’ve streamlined the troubleshooting experience for database-related service issues by adding a database ...

IM Landing Page Filter - Now Available

We’ve added the capability for you to filter across the summary details on the main Infrastructure Monitoring ...

Dynamic Links from Alerts to IM Navigators - New in Observability Cloud

Splunk continues to improve the troubleshooting experience in Observability Cloud with this latest enhancement ...