Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Why is Splunk not parsing a CSV file correctly with TAB as a delimiter and \n as a line separator?

seregaserega
Explorer
‎08-03-2015 04:46 PM

Hi, I'm trying to parse csv file with TAB as separator and \n as a line separator. I don't have time in csv, I would use file as a dictionary.
The problem is that I can't force Splunk to parse the file.
file same is:

1   12.01 45.35 
2   10.01   45.35

I used these settings:

FIELD_DELIMITER=tab
FIELD_QUOTE=" (I don't have any quotes, there are only numbers)
FIELD_NAMES=id,lon,lat

And Splunk puts the whole row into field id:

{"1\t12.01\t45.35\t":"2\t10.01\t45.35\t"}
1. why does it ignores tab as separator?
2. why does it splunk adds the first line in each "event"? I have 1000 lines, splunk sees 1000 events and each event has single field "id" where the first line "1 12.01 45.35 " is always in the beginning of event.

Have no Idea what splunk tries to do...

Tags (3)
0 Karma
Reply

mreynov_splunk
Splunk Employee
Splunk Employee
‎08-03-2015 06:06 PM
  1. are you sure the separator is actually a tab and not several spaces in a row? check with textmate or something like that to make sure.
  2. since your first field is id, Splunk what it considers to be the first field and gives it the label of "id"
  3. remove FIELD_QUOTE, if you dont have them, it might be that entire record is surrounded by quotes, so that might further confuse splunk
Reply

seregaserega
Explorer
‎08-04-2015 09:21 AM
  1. Yes, I generate that file
  2. Didn't understand, I tried to rename it to XXX, no luck.
  3. Did it, no luck
0 Karma
Reply

woodcock
Esteemed Legend
‎08-03-2015 05:19 PM

Things are a bit different (mostly better) in 6.0 than earlier releases, you can just do this in props.conf:

[SourceTypeForTSVwithNoHeader]
INDEXED_EXTRACTIONS = TSV
FIELD_NAMES=id,lon,lat

If your TSV has a header, then you don't even need the FIELD_NAMES line!

This has to be deployed to all of your Forwarders and the Splunk instances there have to be restarted before it will work.

Reply

seregaserega
Explorer
‎08-04-2015 09:56 AM

It doesn't work. It even can't parse ',' separated file.
really-really-weird behaviour.

Here is a code to write the file:

fileWriter.append(
                    Arrays.asList(entry.getProperties().getCellId(),
                            c1.get(0),c1.get(1),
                            c2.get(0),c2.get(1),
                            c3.get(0),c3.get(1),
                            c4.get(0),c4.get(1)
                            )
                            .stream().map(Object::toString).collect(Collectors.joining(","))+"\r\n"

I changed '\t' to ',' doesn't help.
\n to \r\n doesn't help

Now splunk does it best to create single long row from my 10K lines file. Have no idea why it tries to do so.
Beofre that splunk did put all fields into the first one.

0 Karma
Reply

woodcock
Esteemed Legend
‎08-04-2015 10:26 AM

Leave it as a comma and use this:

[SourceTypeForTSVwithNoHeader]
INDEXED_EXTRACTIONS = CSV
FIELD_NAMES=id,lon,lat

This has to be deployed to all of your Forwarders and the Splunk instances there have to be restarted before it will work.

0 Karma
Reply

seregaserega
Explorer
‎08-04-2015 10:30 AM

it doesn't work.
So the working solution is:

  fileWriter.append(
                    Arrays.asList(entry.getProperties().getCellId(),
                            c1.get(0),c1.get(1),
                            c2.get(0),c2.get(1),
                            c3.get(0),c3.get(1),
                            c4.get(0),c4.get(1)
                            )
                            .stream().map(Object::toString).collect(Collectors.joining(","))+"\r\n"

And extra movement: add header to the file.
Then splunk does what expected:
1. reads file line by line
2. doesn't try to put first line as a header
3. correctly splits fields not ignoring \t. When splunk did put all line into the first field it even displays in UI that '\t' are between values.

weird!

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Hello Splunkers,   So you searched, “what is the name of the usb key inserted by bob smith?”  Not gonna lie… ...

Automating Threat Operations and Threat Hunting with Recorded Future

    Automating Threat Operations and Threat Hunting with Recorded Future June 29, 2026 | Register   Is your ...