Hi all, i'm pretty new here.
I need to assign a name to the fields of a .csv imported file,
but it doesn't work.
In the Props.conf File i'm using these setting:
DATETIME_CONFIG =
INDEXED_EXTRACTIONS = csv
HEADER_MODE = firstline
KV_MODE = none
NO_BINARY_CHECK = true
SHOULD_LINEMERGE = false
category = Structured
description = Comma-separated value format. Set header and other settings in "Delimited Settings"
disabled = false
pulldown_type = true
PREAMBLE_REGEX = ^\tDate
FIELD_NAMES = [ Date, Time, Cl, User Name, Terminal name, TCode, Program, Audit Log Msg Text, Long Text, Proc , WP, Data, Data, Data, Data ]
Can you help me?
thanks
Mirko
HEADER_MODE? I'm not familiar with it, but the docs show:
I don't think this is what you want. Instead maybe this:
HEADER_FIELD_LINE_NUMBER = <integer>
* Tells Splunk the line number of the line within the file that contains the
header fields. If set to 0, Splunk attempts to locate the header fields
within the file automatically.
And if you use a header line, I don't think you want to list FIELD_NAMES.
Finally, I'd ditch the PREAMBLE_REGEX as well.
Hello,
The folloiwng configuration worked fine with me:
props.conf
[CSV_Sourcetype]
REPORT-main= delimExtractions
KV_MODE = none
NO_BINARY_CHECK = true
SHOULD_LINEMERGE = false
category = Structured
pulldown_type = true
transforms.conf
[delimExtractions]
DELIMS=","
FIELDS=Number_of_Events,Action_Taken,Endpoint_Name,User_Name
Regards
Where to find this props.conf and transforms.conf?
Where to edit this props.conf and transforms.conf?
HEADER_MODE? I'm not familiar with it, but the docs show:
I don't think this is what you want. Instead maybe this:
HEADER_FIELD_LINE_NUMBER = <integer>
* Tells Splunk the line number of the line within the file that contains the
header fields. If set to 0, Splunk attempts to locate the header fields
within the file automatically.
And if you use a header line, I don't think you want to list FIELD_NAMES.
Finally, I'd ditch the PREAMBLE_REGEX as well.
Try removing the brackets from the FIELD_NAMES
line.