best way to define fields for a csv with no header...

cmeo · ‎08-10-2010

I have a source which is csv but has no headers. I'm trying to set up props.conf and transforms.conf to supply these rather than have to edit every csv file to add them, but the darn thing won't work. Here is props.conf: [winsec_csv] TRANSFORMS-winsec = extract_winsec

transforms.conf: [extract_winsec] DELIMS="," REGEX=* FIELDS = "logtype", "time", "logtype1", "eventcode", "status", "actiontype", "userid", "dc", "message"

Sample events: SEC,06/05/2010 10:31:24,Security,540,Success,Logon/Logoff ,UNISUPER\MEPUTIL04$,MEPDOM02,Successful Network Logon:^User Name: MEPUTIL04$^ Domain: UNISUPER^Logon ID: (0x0 0x27048EFB)^ Logon Type: 3^Logon Process: Kerberos^ Authentication Package: Kerberos^Workstation Name: ^ Logon GUID: {4fff3638-0ad5-b2d7-7358-2ae3dd4509b3}^Caller User Name: -^ Caller Domain: -^Caller Logon ID: -^ Caller Process ID: -^Transited Services: -^ Source Network Address: 10.3.37.101^Source Port: 0^ SEC,06/05/2010 10:31:26,Security,540,Success,Logon/Logoff ,UNISUPER\WS-02241$,MEPDOM02,Successful Network Logon:^User Name: WS-02241$^ Domain: UNISUPER^Logon ID: (0x0 0x2704BA25)^ Logon Type: 3^Logon Process: Kerberos^ Authentication Package: Kerberos^Workstation Name: ^ Logon GUID: {268894b4-e2a0-3b99-b2a8-c446da5c7eca}^Caller User Name: -^ Caller Domain: -^Caller Logon ID: -^ Caller Process ID: -^Transited Services: -^ Source Network Address: 10.3.0.160^Source Port: 0^

The REGEX I have added in frustration because of the error 'REGEX must be specified'--don't see why, it's not used. Now no data is being indexed at all, but I don't get the error message...

Yes this is windows security event log but for complicated reasons I can't use it directly--have to have this.

How do I do this? I can use a generic solution to this for other scenarios anyway. The documentation shows this to be straightforward--so why won't it go??

gkanapathy · ‎08-10-2010

All you have to do is specify a sourcetype name that you will assign to the files and the fields:

[mysourcetypename]
FiELDS = field1, "second field", field3, field4, "field number 5", field6

The headers in the file actually get in the way.

Paolo_Prigione · ‎01-19-2011

cmeo, are you willing to index all the fields? Otherwise, you should put in props.comf [winsec_csv] REPORT-winsec = extract_winsec, instead of TRANSFORMS.

gkanapathy · ‎08-16-2010

Sigh. If you've got forwarded files it doesn't matter, but unfortunately to kill the auto-csv generation, you have to make a stanza for your source or sourcetype, set CHECK_FOR_HEADER = false and set priority = 101 (or some higher number) to cancel out a built-in rule that applies to any file name ending in .csv. You could also rename the file I guess. If it's already been generated, just delete the contents of the etc/apps/learned/local folder. (Don't disable the learned app. Only tears will come of that.)

cmeo · ‎08-16-2010

Cracked it using another example in answers. What was happening is that my definitions were conflicting with splunk's own attempt in apps/learned.

So I suppose the only remaining question is, how to prevent splunk from attempting a learned configuration?

cmeo · ‎08-11-2010

This looks like a props.conf entry. I tried that--splunk ignored it. Still no field names in the picker except two (CN, DC) which splunk has somehow defined for itself.

Where does this entry go? Where did DC and CN come from and how do I stop splunk doing that?

cmeo · ‎08-10-2010

sorry the cut and paste mangled things. Every line in the sample events starts with SEC, the rest should be pretty obvious.

best way to define fields for a csv with no headers

Routing logs with Splunk OTel Collector for Kubernetes

Welcome to the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM