Knowledge Management

how to index a csv file which is not in a correct format

benazir
Explorer

Hi ,
Here is my scenario,
I have to index the below csv file, where the format looks like this , confused with the props file, kindly need your advice .

"RowID      session_id  ObjName   ProcStartTime             Days          [Duration in milliseconds]                  sql_command             sql_text     wait_info   blocking_session_id    blocked_session_count                  physical_io                  phyiscal_reads            query_plan                  open_tran_count                  percent_complete      start_time"
"15428778 1206          InsertsettlemerchantAll2              2017-12-13 14:02:00.913              00              116                                                (9ms)WRITELOG                           0                                                     8                                                     1                                  2017-12-13 14:02:10.953"
"15428787 1308          InsertPendingTrans     2017-12-13 14:02:10.953              00              46                                  (9ms)WRITELOG                           0                                                     8                                                     1                                  2017-12-13 14:02:10.953"

Each Row id : eg : 15428778 , 15428787 should index as a single event from the log file . is it possible ?

Tags (1)
0 Karma

woodcock
Esteemed Legend

Whenever I have trash files, I write a parser in Perl, setup a cron job to look for incoming files, fix them, then write the repaired files to where Splunk is looking for them. Then I have a 2x4 talk with the developers.

0 Karma

DalJeanis
SplunkTrust
SplunkTrust

Looks like either it is a physical report, or perhaps a tab delimited file that you have copied from a screen. You need to verify the underlying layout by editing the file in a very basic editor like notepad. Is it tabs between the fields, or a collection of spaces?

0 Karma

richgalloway
SplunkTrust
SplunkTrust

What you have is not a CSV file. Is every row enclosed in quotes? Are the field separated by spaces, tabs, or something else?
I looks like this will be a custom sourcetype.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

Set Up More Secure Configurations in Splunk Enterprise With Config Assist

This blog post is part 3 of 4 of a series on Splunk Assist. Click the links below to see the other ...

Observability Highlights | November 2022 Newsletter

 November 2022Observability CloudEnd Of Support Extension for SignalFx Smart AgentSplunk is extending the End ...

Enterprise Security Content Update (ESCU) v3.54.0

The Splunk Threat Research Team (STRT) recently released Enterprise Security Content Update (ESCU) v3.54.0 and ...