Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

What is the proper way to load a CSV File ?

sanujss
Explorer
‎11-25-2013 01:24 AM

I have a CSV file which has a header. I want to load this in SPLUNK and want to perform searches using different fields. The file looks like :

TimeStamp, IPAddress, UserName, URL
2013-11-21 16:67:36,221.78.127.76,JADE,www.google.com
2013-10-22 12:55:37,341.78.125.77,JADE,www.rediff.com
2013-09-11 10:21:40,121.78.127.78,JADE,www.youtube.com
2013-08-24 07:11:25,121.78.128.80,JADE,www.ndtv.com

I tried to load it through the UI through : Add Data --> A file or directory of files --> Browsing for the file. Applied the source type CSV. But it is not recognizing the headers or the fields.

What is the proper way to do this ?

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

royimad
Builder
‎11-25-2013 01:37 AM

Extract the fields manually after indexing the file using Fields Extractions. Or you can edit props.conf and transform.conf files. 

props.conf
[myfile]
KV_MODE = none
SHOULD_LINEMERGE = false
REPORT-Myfile = Myfile_extractions

transforms.conf
[Myfile_extractions]
DELIM=","
FIELDS=TimeStamp,IPAddress,UserName,URL

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

royimad
Builder
‎11-25-2013 01:37 AM

Extract the fields manually after indexing the file using Fields Extractions. Or you can edit props.conf and transform.conf files. 

props.conf
[myfile]
KV_MODE = none
SHOULD_LINEMERGE = false
REPORT-Myfile = Myfile_extractions

transforms.conf
[Myfile_extractions]
DELIM=","
FIELDS=TimeStamp,IPAddress,UserName,URL
0 Karma
Reply
Solved! Jump to solution

sanujss
Explorer
‎11-25-2013 04:30 AM

Thank you so much. Let me give a try

0 Karma
Reply
Solved! Jump to solution

royimad
Builder
‎11-25-2013 04:24 AM

$SPLUNK_HOME/etc/apps/YOURAPPS/default , it depend on your installation, by default it's /opt/splunk/etc/apps/YOURAPPS/default

0 Karma
Reply
Solved! Jump to solution

sanujss
Explorer
‎11-25-2013 01:46 AM

Thanks royimad for the quick help. I am a new bee in SPLUNK. I can see lot of props.conf, transforms.conf in locations like system, legacy, apps etc. Which one I need to edit ?

0 Karma
Reply
Get Updates on the Splunk Community!

September Community Champions: A Shoutout to Our Contributors!

As we close the books on another fantastic month, we want to take a moment to celebrate the people who are the ...

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...