I have a jobinfo.log file in my server, it was delimited by comma but not [xxxx.csv] file.
So it can not be added into index just like [.csv].
I don't want to change the extension from [.log] to [.csv],but the extension has to be changed ?
Below is the jobinfo.log file
80925610,00004105,00000000,10660,"20170213140245","20170213140245",1,0,0,"ro,o,t","root"
80925612,00004106,00000000,10660,"20170213140250","20170213140250",1,0,0,"ro,o,t","root"
80925626,00004125,00000000,10660,"20170213140411","20170213140411",1,0,0,"ro,o,t","root"
You can see that the comma also in double quotation, so if the extension is not [.csv] then the result will be below
1,0,0,"ro,o,t","root" -> 1,0,0,ro,o,t,root #the string "ro,o,t" also be delimited by comma
It doesn't have to be a *.csv
file to be able to use the sourcetype definition (event breaking, timestamp recognition etc) of built-in sourcetype csv
. When you setup the data monitoring (input.conf), just explicitly assign the sourcetype as "csv".
thank you so much!
it's worked !
For this source, set up your props.conf with these and it should extract correctly.
FIELD_DELIMITER = ,
FIELD_QUOTE = "
So are you just trying to bring this data in so that it will be separated into fields like a csv would be?
In that case bring the data in as a sourcetype (preferably unique sourcetype name), open it in search, expand one line, click "Event Actions" and use the field extractor. Choose "delimiters" , choose comma, and name the fields. This will create a transforms and props.conf for this sourcetype.
Or edit the transforms & props.conf files
https://answers.splunk.com/answers/170251/how-to-extract-two-fields-separated-by-delimiter-c.html