Re: how to import some columns from csv

splunk6161 · ‎06-20-2017

I have a csv file to import by app data ->monitor
i would to import some columns (not all) before to index.
It's possible?
Thanks

splunk6161 · ‎05-05-2020

I've created a new csv to do a test:

did this in props.conf:

[csv_n402_rex]
BREAK_ONLY_BEFORE_DATE = 
DATETIME_CONFIG = 
FIELD_DELIMITER = ,
INDEXED_EXTRACTIONS = csv
KV_MODE = none
LINE_BREAKER = ([\r\n]+)
NO_BINARY_CHECK = true
SEDCMD-rex = s/([^,]+).([^,]+).([^,]+).([^,]+).([^,]+).([^,]+).([^,]+).([^,]+).([^,]+).([^,]+).([^,]+).([^,]+).([^,]+).([^,]+).([^,]+).([^,]+).([^,]+).([^,]+).([^,]+).([^,]+).([^,]+).([^,]+).([^,]+).([^,]+).([^,]+).([^,]+).*/\4,\12,\14,\17\n/
SHOULD_LINEMERGE = false
category = Structured
description = Comma-separated value format. Set header and other settings in "Delimited Settings"
disabled = false
pulldown_type = 1

In search works, when I add *| table ** in the search, it shows me all fields. Why?
I suppose regex is just a view, so I'm indexing all the fields.

to4kawa · ‎05-05-2020

because INDEXED_EXTRACTIONS = csv is before SEDCMD-rex
|table * display all extracted fields.

splunk6161 · ‎05-06-2020

so I'm indexing all the fields?

to4kawa · ‎05-06-2020

yes , I guess

splunk6161 · ‎05-06-2020

I tried to reverse as you said but the sorting of the fields would seem to be automatic and so like in the props.conf file above

to4kawa · ‎05-06-2020

How about transforms.conf ?

splunk6161 · ‎05-06-2020

not present, i'll try to configure it.

woodcock · ‎06-22-2017

Do this in props.conf:

[YourSourcetypeHere]
SEDCMD-trim_raw = s/([^,]+),(?:[^,]+,){2}(.*$)/\1\2/

For proof try this:

| makeresults 
| fields - _time
| eval _raw="_time,f1,f2,f3,f4,f5,f6,f7,f8,f9,f10" 
| rex mode=sed "s/([^,]+),(?:[^,]+,){2}(.*$)/\1\2/"

https://answers.splunk.com/answers/530547/filter-data-and-extract-field-before-indexed.html#comment-...

woodcock · ‎06-20-2017

My rule on CSVs is this: If the file does NOT contain a timestamp, it should NOT be indexed (do not use Add data. Instead, it should be uploaded as a lookup. If you must index this data, then use SEDCMD to skip (erase) columns in your data as it is indexed:

https://docs.splunk.com/Documentation/SplunkCloud/6.6.0/Data/Anonymizedata

gcusello · ‎06-20-2017

Hi splunk6161,
I didn't tried to do this, but you could delete columns that you don't want to index using a SEDCMD command.
e.g. if you have a csv like this

field1,field2,field3,field4,field5,field6
aaa,bbb,ccc,ddd,eee,fff

and you don't want to index field4

you could insert in props.conf stanza:

[your_sourcetype]
 SED-alter=s/[^,],[^,],[^,],[^,],[^,],[^,]/[^,],[^,],[^,],[^,],,[^,]/g

Try it

Bye.
Giuseppe

splunk6161 · ‎06-22-2017

It doesn't work
I have 10columns plus 1column "_time" as first column.
I would keep the first column, skip the second and the third, keep the rest.
Is correct this scenario?
SEDCMD-alter=s/[^,],[^,],[^,],[^,],[^,],[^,],[^,],[^,],[^,],[^,],[^,]/[^,],,,[^,],[^,],[^,],[^,],[^,],[^,],[^,],[^,]/g

thanks

how to import some columns from csv

Building Reliable Asset and Identity Frameworks in Splunk ES

Cloud Monitoring Console - Unlocking Greater Visibility in SVC Usage Reporting

Automatic Discovery Part 3: Practical Use Cases

Are you a member of the Splunk Community?

how to import some columns from csv

Building Reliable Asset and Identity Frameworks in Splunk ES

Cloud Monitoring Console - Unlocking Greater Visibility in SVC Usage Reporting

Automatic Discovery Part 3: Practical Use Cases