Knowledge Management

how to index a csv file which is not in a correct format


Hi ,
Here is my scenario,
I have to index the below csv file, where the format looks like this , confused with the props file, kindly need your advice .

"RowID      session_id  ObjName   ProcStartTime             Days          [Duration in milliseconds]                  sql_command             sql_text     wait_info   blocking_session_id    blocked_session_count                  physical_io                  phyiscal_reads            query_plan                  open_tran_count                  percent_complete      start_time"
"15428778 1206          InsertsettlemerchantAll2              2017-12-13 14:02:00.913              00              116                                                (9ms)WRITELOG                           0                                                     8                                                     1                                  2017-12-13 14:02:10.953"
"15428787 1308          InsertPendingTrans     2017-12-13 14:02:10.953              00              46                                  (9ms)WRITELOG                           0                                                     8                                                     1                                  2017-12-13 14:02:10.953"

Each Row id : eg : 15428778 , 15428787 should index as a single event from the log file . is it possible ?

Tags (1)
0 Karma

Esteemed Legend

Whenever I have trash files, I write a parser in Perl, setup a cron job to look for incoming files, fix them, then write the repaired files to where Splunk is looking for them. Then I have a 2x4 talk with the developers.

0 Karma


Looks like either it is a physical report, or perhaps a tab delimited file that you have copied from a screen. You need to verify the underlying layout by editing the file in a very basic editor like notepad. Is it tabs between the fields, or a collection of spaces?

0 Karma


What you have is not a CSV file. Is every row enclosed in quotes? Are the field separated by spaces, tabs, or something else?
I looks like this will be a custom sourcetype.

If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

March Community Office Hours Security Series Uncovered!

Hello Splunk Community! In March, Splunk Community Office Hours spotlighted our fabulous Splunk Threat ...

Stay Connected: Your Guide to April Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars in April. This post ...