Getting Data In

What is the correct parameter in props.conf for csv file ?

willmirko
New Member

Hi all, i'm pretty new here.

I need to assign a name to the fields of a .csv imported file,
but it doesn't work.
In the Props.conf File i'm using these setting:

DATETIME_CONFIG =
INDEXED_EXTRACTIONS = csv
HEADER_MODE = firstline
KV_MODE = none
NO_BINARY_CHECK = true
SHOULD_LINEMERGE = false
category = Structured
description = Comma-separated value format. Set header and other settings in "Delimited Settings"
disabled = false
pulldown_type = true
PREAMBLE_REGEX = ^\tDate
FIELD_NAMES = [ Date, Time, Cl, User Name, Terminal name, TCode, Program, Audit Log Msg Text, Long Text, Proc , WP, Data, Data, Data, Data ]

Can you help me?

thanks
Mirko

0 Karma
1 Solution

twinspop
Influencer

HEADER_MODE? I'm not familiar with it, but the docs show:

  • Determines whether to use the inline ***SPLUNK*** directive to rewrite index-time fields.

I don't think this is what you want. Instead maybe this:

HEADER_FIELD_LINE_NUMBER = <integer>

* Tells Splunk the line number of the line within the file that contains the
  header fields.  If set to 0, Splunk attempts to locate the header fields
  within the file automatically.

And if you use a header line, I don't think you want to list FIELD_NAMES.

Finally, I'd ditch the PREAMBLE_REGEX as well.

View solution in original post

0 Karma

aakwah
Builder

Hello,

The folloiwng configuration worked fine with me:

props.conf

[CSV_Sourcetype]
REPORT-main= delimExtractions
KV_MODE = none
NO_BINARY_CHECK = true
SHOULD_LINEMERGE = false
category = Structured
pulldown_type = true

transforms.conf

[delimExtractions]
DELIMS=","
FIELDS=Number_of_Events,Action_Taken,Endpoint_Name,User_Name

Regards

0 Karma

nkkn87
New Member

Where to find this props.conf and transforms.conf?

0 Karma

nkkn87
New Member

Where to edit this props.conf and transforms.conf?

0 Karma

twinspop
Influencer

HEADER_MODE? I'm not familiar with it, but the docs show:

  • Determines whether to use the inline ***SPLUNK*** directive to rewrite index-time fields.

I don't think this is what you want. Instead maybe this:

HEADER_FIELD_LINE_NUMBER = <integer>

* Tells Splunk the line number of the line within the file that contains the
  header fields.  If set to 0, Splunk attempts to locate the header fields
  within the file automatically.

And if you use a header line, I don't think you want to list FIELD_NAMES.

Finally, I'd ditch the PREAMBLE_REGEX as well.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Try removing the brackets from the FIELD_NAMES line.

---
If this reply helps you, Karma would be appreciated.
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...