Getting Data In

headers in csv do not appear as field names in search result

Path Finder

Hi, I have a csv file which contains data like this:

"region","country","city"
"emea","united kingdom","london"
"emea","france","paris"
"apac","hong kong","hong kong"
"amer","usa","new york"

I believe my inputs.conf and props.conf are correct as I can see the data in splunk when I do a search "sourcetype=props_config". However, I don't see "region", "country" or "city" as the field names on the left in the Splunk GUI.

my inputs.conf is like:

[monitor:///data/logs/*/geo.csv]
host_segment = 3
index = testindex
sourcetype = props_config

my props.conf is like:

[props_config]
FIELD_DELIMITER = ,
HEADER_FIELD_DELIMITER = ,
FIELD_QUOTE = "

Any idea what is wrong here? Thanks.

Tags (3)
0 Karma
1 Solution

SplunkTrust
SplunkTrust

Hi jackiewkc,

not all fields are displayed by default in Splunk, see the docs for more details http://docs.splunk.com/Documentation/Splunk/6.2.0/SearchTutorial/Aboutthesearchtabs#Events

To do a quick check for your fields do something like this:

your base search here  sourcetype=props_config| table region country city

hope this helps ...

cheers, MuS

View solution in original post

SplunkTrust
SplunkTrust

Hi jackiewkc,

not all fields are displayed by default in Splunk, see the docs for more details http://docs.splunk.com/Documentation/Splunk/6.2.0/SearchTutorial/Aboutthesearchtabs#Events

To do a quick check for your fields do something like this:

your base search here  sourcetype=props_config| table region country city

hope this helps ...

cheers, MuS

View solution in original post

Path Finder

Hi MuS,

Thanks for the quick reply. I was expecting to see these header fields when I selected "All Fields" but this is not the case.

I did the table thing you suggested and I can see the correct event counts.

Any idea how I can get the field names displayed?

Thanks.

Jackie

0 Karma

SplunkTrust
SplunkTrust

Although it states all fields, it does not show all fields by default 😉 it only shows all field over a certain hit percentage ... I beleave it is something around 0.1% you can change it in the all fields 'window'

0 Karma

Path Finder

HI MuS,

The options I can see are:

All fields
coverage: 1% or more
coverage: 50% or more
coverage: 90% or more
coverage: 100%

And I have already selected "All fields...

0 Karma

SplunkTrust
SplunkTrust

Did you set any filter for the fields?

0 Karma

Path Finder

No, I haven't set any filter....

0 Karma

SplunkTrust
SplunkTrust

Only thing I can think of currently is the search mode...are you in fast, smart or verbose mode?

Path Finder

You are a genius !!! I was running in fast mode. It works after I changed it to smart.

Thank you so much for your help. I really appreciate it.

0 Karma

SplunkTrust
SplunkTrust

Sweet 🙂 You're welcome ...

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!