Getting Data In
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Re: delimited by comma but not .csv file
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
delimited by comma but not .csv file
kavana
Explorer
02-14-2017
06:26 PM
I have a jobinfo.log file in my server, it was delimited by comma but not [xxxx.csv] file.
So it can not be added into index just like [.csv].
I don't want to change the extension from [.log] to [.csv],but the extension has to be changed ?
Below is the jobinfo.log file
80925610,00004105,00000000,10660,"20170213140245","20170213140245",1,0,0,"ro,o,t","root"
80925612,00004106,00000000,10660,"20170213140250","20170213140250",1,0,0,"ro,o,t","root"
80925626,00004125,00000000,10660,"20170213140411","20170213140411",1,0,0,"ro,o,t","root"
You can see that the comma also in double quotation, so if the extension is not [.csv] then the result will be below
1,0,0,"ro,o,t","root" -> 1,0,0,ro,o,t,root #the string "ro,o,t" also be delimited by comma
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
somesoni2
Revered Legend
02-16-2017
12:07 PM
It doesn't have to be a *.csv file to be able to use the sourcetype definition (event breaking, timestamp recognition etc) of built-in sourcetype csv. When you setup the data monitoring (input.conf), just explicitly assign the sourcetype as "csv".
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
kavana
Explorer
02-16-2017
04:16 PM
thank you so much!
it's worked !
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
DalJeanis
Legend
02-16-2017
11:24 AM
For this source, set up your props.conf with these and it should extract correctly.
FIELD_DELIMITER = ,
FIELD_QUOTE = "
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
JDukeSplunk
Builder
02-16-2017
10:07 AM
So are you just trying to bring this data in so that it will be separated into fields like a csv would be?
In that case bring the data in as a sourcetype (preferably unique sourcetype name), open it in search, expand one line, click "Event Actions" and use the field extractor. Choose "delimiters" , choose comma, and name the fields. This will create a transforms and props.conf for this sourcetype.
Or edit the transforms & props.conf files
https://answers.splunk.com/answers/170251/how-to-extract-two-fields-separated-by-delimiter-c.html
Get Updates on the Splunk Community!
Updated Data Type Articles, Anniversary Celebrations, and More on Splunk Lantern
Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...
A Prelude to .conf25: Your Guide to Splunk University
Heading to Boston this September for .conf25? Get a jumpstart by arriving a few days early for Splunk ...
4 Ways the Splunk Community Helps You Prepare for .conf25
.conf25 is right around the corner, and whether you’re a first-time attendee or a seasoned Splunker, the ...
