Re: delimited by comma but not .csv file

kavana · ‎02-14-2017

I have a jobinfo.log file in my server, it was delimited by comma but not [xxxx.csv] file.
So it can not be added into index just like [.csv].

I don't want to change the extension from [.log] to [.csv],but the extension has to be changed ?

Below is the jobinfo.log file

80925610,00004105,00000000,10660,"20170213140245","20170213140245",1,0,0,"ro,o,t","root"
80925612,00004106,00000000,10660,"20170213140250","20170213140250",1,0,0,"ro,o,t","root"
80925626,00004125,00000000,10660,"20170213140411","20170213140411",1,0,0,"ro,o,t","root"

You can see that the comma also in double quotation, so if the extension is not [.csv] then the result will be below

1,0,0,"ro,o,t","root" -> 1,0,0,ro,o,t,root #the string "ro,o,t" also be delimited by comma

somesoni2 · ‎02-16-2017

It doesn't have to be a *.csv file to be able to use the sourcetype definition (event breaking, timestamp recognition etc) of built-in sourcetype csv. When you setup the data monitoring (input.conf), just explicitly assign the sourcetype as "csv".

kavana · ‎02-16-2017

thank you so much!

it's worked !

DalJeanis · ‎02-16-2017

For this source, set up your props.conf with these and it should extract correctly.

FIELD_DELIMITER = ,
FIELD_QUOTE = "

JDukeSplunk · ‎02-16-2017

So are you just trying to bring this data in so that it will be separated into fields like a csv would be?

In that case bring the data in as a sourcetype (preferably unique sourcetype name), open it in search, expand one line, click "Event Actions" and use the field extractor. Choose "delimiters" , choose comma, and name the fields. This will create a transforms and props.conf for this sourcetype.

Or edit the transforms & props.conf files
https://answers.splunk.com/answers/170251/how-to-extract-two-fields-separated-by-delimiter-c.html

delimited by comma but not .csv file

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!