Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

headers in csv do not appear as field names in search result

jackiewkc
Path Finder
‎12-16-2014 02:58 AM

Hi, I have a csv file which contains data like this:

"region","country","city"
"emea","united kingdom","london"
"emea","france","paris"
"apac","hong kong","hong kong"
"amer","usa","new york"

I believe my inputs.conf and props.conf are correct as I can see the data in splunk when I do a search "sourcetype=props_config". However, I don't see "region", "country" or "city" as the field names on the left in the Splunk GUI.

my inputs.conf is like:

[monitor:///data/logs/*/geo.csv]
host_segment = 3
index = testindex
sourcetype = props_config

my props.conf is like:

[props_config]
FIELD_DELIMITER = ,
HEADER_FIELD_DELIMITER = ,
FIELD_QUOTE = "

Any idea what is wrong here? Thanks.

Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

MuS
Legend
‎12-16-2014 03:04 AM

Hi jackiewkc,

not all fields are displayed by default in Splunk, see the docs for more details http://docs.splunk.com/Documentation/Splunk/6.2.0/SearchTutorial/Aboutthesearchtabs#Events

To do a quick check for your fields do something like this:

your base search here  sourcetype=props_config| table region country city

hope this helps ...

cheers, MuS

View solution in original post

Reply
Solved! Jump to solution
Solution

MuS
Legend
‎12-16-2014 03:04 AM

Hi jackiewkc,

not all fields are displayed by default in Splunk, see the docs for more details http://docs.splunk.com/Documentation/Splunk/6.2.0/SearchTutorial/Aboutthesearchtabs#Events

To do a quick check for your fields do something like this:

your base search here  sourcetype=props_config| table region country city

hope this helps ...

cheers, MuS

Reply
Solved! Jump to solution

jackiewkc
Path Finder
‎12-16-2014 03:11 AM

Hi MuS,

Thanks for the quick reply. I was expecting to see these header fields when I selected "All Fields" but this is not the case.

I did the table thing you suggested and I can see the correct event counts.

Any idea how I can get the field names displayed?

Thanks.

Jackie

0 Karma
Reply
Solved! Jump to solution

MuS
Legend
‎12-16-2014 03:22 AM

Although it states all fields, it does not show all fields by default 😉 it only shows all field over a certain hit percentage ... I beleave it is something around 0.1% you can change it in the all fields 'window'

0 Karma
Reply
Solved! Jump to solution

jackiewkc
Path Finder
‎12-16-2014 03:42 AM

HI MuS,

The options I can see are:

All fields
coverage: 1% or more
coverage: 50% or more
coverage: 90% or more
coverage: 100%

And I have already selected "All fields...

0 Karma
Reply
Solved! Jump to solution

MuS
Legend
‎12-16-2014 04:20 AM

Did you set any filter for the fields?

0 Karma
Reply
Solved! Jump to solution

jackiewkc
Path Finder
‎12-16-2014 04:26 AM

No, I haven't set any filter....

0 Karma
Reply
Solved! Jump to solution

MuS
Legend
‎12-16-2014 04:43 AM

Only thing I can think of currently is the search mode...are you in fast, smart or verbose mode?

Reply
Solved! Jump to solution

jackiewkc
Path Finder
‎12-16-2014 04:45 AM

You are a genius !!! I was running in fast mode. It works after I changed it to smart.

Thank you so much for your help. I really appreciate it.

0 Karma
Reply
Solved! Jump to solution

MuS
Legend
‎12-16-2014 04:50 AM

Sweet 🙂 You're welcome ...

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...