Solved: Re: headers in csv do not appear as field names in...

jackiewkc · ‎12-16-2014

Hi, I have a csv file which contains data like this:

"region","country","city"
"emea","united kingdom","london"
"emea","france","paris"
"apac","hong kong","hong kong"
"amer","usa","new york"

I believe my inputs.conf and props.conf are correct as I can see the data in splunk when I do a search "sourcetype=props_config". However, I don't see "region", "country" or "city" as the field names on the left in the Splunk GUI.

my inputs.conf is like:

[monitor:///data/logs/*/geo.csv]
host_segment = 3
index = testindex
sourcetype = props_config

my props.conf is like:

[props_config]
FIELD_DELIMITER = ,
HEADER_FIELD_DELIMITER = ,
FIELD_QUOTE = "

Any idea what is wrong here? Thanks.

MuS · ‎12-16-2014

Hi jackiewkc,

not all fields are displayed by default in Splunk, see the docs for more details http://docs.splunk.com/Documentation/Splunk/6.2.0/SearchTutorial/Aboutthesearchtabs#Events

To do a quick check for your fields do something like this:

your base search here  sourcetype=props_config| table region country city

hope this helps ...

cheers, MuS

View solution in original post

MuS · ‎12-16-2014

Hi jackiewkc,

not all fields are displayed by default in Splunk, see the docs for more details http://docs.splunk.com/Documentation/Splunk/6.2.0/SearchTutorial/Aboutthesearchtabs#Events

To do a quick check for your fields do something like this:

your base search here  sourcetype=props_config| table region country city

hope this helps ...

cheers, MuS

jackiewkc · ‎12-16-2014

Hi MuS,

Thanks for the quick reply. I was expecting to see these header fields when I selected "All Fields" but this is not the case.

I did the table thing you suggested and I can see the correct event counts.

Any idea how I can get the field names displayed?

Thanks.

Jackie

MuS · ‎12-16-2014

Although it states all fields, it does not show all fields by default 😉 it only shows all field over a certain hit percentage ... I beleave it is something around 0.1% you can change it in the all fields 'window'

jackiewkc · ‎12-16-2014

HI MuS,

The options I can see are:

All fields
coverage: 1% or more
coverage: 50% or more
coverage: 90% or more
coverage: 100%

And I have already selected "All fields...

MuS · ‎12-16-2014

Did you set any filter for the fields?

jackiewkc · ‎12-16-2014

No, I haven't set any filter....

MuS · ‎12-16-2014

Only thing I can think of currently is the search mode...are you in fast, smart or verbose mode?

jackiewkc · ‎12-16-2014

You are a genius !!! I was running in fast mode. It works after I changed it to smart.

Thank you so much for your help. I really appreciate it.

MuS · ‎12-16-2014

Sweet 🙂 You're welcome ...

headers in csv do not appear as field names in search result

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Combine Multiline Logs into a Single Event with SOCK: a Step-by-Step Guide for ...