Solved: csv headers are not getting listed

Gowthamdevaraj · ‎04-16-2020

Hello,

I have clonned the CSV source type in Splunk and created a new CSV sourcetype as Alpha_csv and configured to monitor the csv files.

I have created a deployment apps and configured inputs.conf in deployment app.

All my csv files are not getting monitored but no as per header values. (no csv headers are getting listed)

csv sourcetype is set to auto, comma separated csv.

Can anyone help on this?

Thanks

manjunathmeti · ‎04-17-2020

Along with inputs.conf you also need to copy settings for Alpha_csv in props.conf in deployment app and deploy it to forwarder server.

View solution in original post

manjunathmeti · ‎04-17-2020

Along with inputs.conf you also need to copy settings for Alpha_csv in props.conf in deployment app and deploy it to forwarder server.

PavelP · ‎04-17-2020

Hello @Gowthamdevaraj ,
if I understand you correctly the file get monitored correctly, but you cannot see the first line of the logs with header names? This is how indexed_extraction for CSV works - your fields are get parsed and mapped to the right field taken from the header line and the header line get removed. You can access any parsed field by using the field name.

Here is more info about indexed extraction: https://docs.splunk.com/Documentation/Splunk/8.0.3/Data/Extractfieldsfromfileswithstructureddata

Have it worked before you cloned the source type?

csv headers are not getting listed

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?