I have a CSV file which has a header. I want to load this in SPLUNK and want to perform searches using different fields. The file looks like :
TimeStamp, IPAddress, UserName, URL
2013-11-21 16:67:36,221.78.127.76,JADE,www.google.com
2013-10-22 12:55:37,341.78.125.77,JADE,www.rediff.com
2013-09-11 10:21:40,121.78.127.78,JADE,www.youtube.com
2013-08-24 07:11:25,121.78.128.80,JADE,www.ndtv.com
I tried to load it through the UI through : Add Data --> A file or directory of files --> Browsing for the file. Applied the source type CSV. But it is not recognizing the headers or the fields.
What is the proper way to do this ?
Extract the fields manually after indexing the file using Fields Extractions. Or you can edit props.conf and transform.conf files.
props.conf
[myfile]
KV_MODE = none
SHOULD_LINEMERGE = false
REPORT-Myfile = Myfile_extractions
transforms.conf
[Myfile_extractions]
DELIM=","
FIELDS=TimeStamp,IPAddress,UserName,URL
Extract the fields manually after indexing the file using Fields Extractions. Or you can edit props.conf and transform.conf files.
props.conf
[myfile]
KV_MODE = none
SHOULD_LINEMERGE = false
REPORT-Myfile = Myfile_extractions
transforms.conf
[Myfile_extractions]
DELIM=","
FIELDS=TimeStamp,IPAddress,UserName,URL
Thank you so much. Let me give a try
$SPLUNK_HOME/etc/apps/YOURAPPS/default , it depend on your installation, by default it's /opt/splunk/etc/apps/YOURAPPS/default
Thanks royimad for the quick help. I am a new bee in SPLUNK. I can see lot of props.conf, transforms.conf in locations like system, legacy, apps etc. Which one I need to edit ?