Re: ingesting csv headers with double quotes and %

narenpg · ‎03-04-2025

I am trying to ingest a csv file which has headers with double quotes " and %. They are separated by comma. But after ingestion if two field names has same name except one has # and the other one has % then it merges both of them into one field while using table output. How to fix this issue. If splunk does`nt support csv headers then i have to remove before ingesting them. Any ideas.

livehybrid · ‎03-04-2025

Hi @narenpg

You need to use FIELD_NAMES in your props to set the field names in this case,:

eg

FIELD_NAMES=name,count,count_perc,region

for this test CSV:

"name","count","count%","region"
"John Smith","245","12.3%","North"
"Mary Johnson","189","9.5%","South" 
"James Williams","167","8.4%","East"
"Sarah Davis","156","7.8%","West"
"Michael Brown","143","7.2%","North"
"Jennifer Wilson","134","6.7%","South"
"Robert Taylor","128","6.4%","East"
"Elizabeth Anderson","112","5.6%","West"
"David Martinez","98","4.9%","North"
"Susan Thompson","87","4.4%","South"

Please let me know how you get on and consider adding karma to this or any other answer if it has helped.
Regards

Will

narenpg · ‎03-07-2025

This seems to be working in the "Add Data" testing, but after adding this sourcetype when i search i dont see the headers. Actually the header starts on line 2, so i added "File Preamble" to skip the first line and start ingesting the headers from line 2 but it is skipping it. What am i missing?

ingesting csv headers with double quotes and %

Splunk Investigate

troubleshooting

Observe and Secure All Apps with Splunk

Splunk Decoded: Business Transactions vs Business IQ

Fastest way to demo Observability

Are you a member of the Splunk Community?