Splunk Enterprise
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to get CSV header in output when searching using SDK?

dockerphile
Observer
‎04-10-2023 09:57 AM

I'm using python SDK to search and retrieve results in JSON output_mode. The data I'm searching for was loaded into splunk as a CSV file with the first row as header.

 Currently I'm getting these keys in the output

 

 

"_bkt","_cd","_indextime","_raw","_serial","_si","_sourcetype","_time",host,index,linecount,source,sourcetype,"splunk_server"

 

 

_raw field has a string of comma separated values(actual data). I'm not able to get the header for these values. The rest of the fields are just metadata.

 

How do I get the CSV header in the JSON output of the search? I even tried CSV 'output_mode'. No luck

0 Karma
Reply

tscroggins
Influencer
‎04-10-2023 01:09 PM

Hi,

If your CSV file was added to Splunk using the csv source type (with INDEXED_EXTRACTIONS = csv) or a source type with CSV field names defined, the fields should be available at search time.

For example, given foo.csv and source type csv:

x,y
1,1.587189013
2,0.329284696
3,1.133517675
4,-0.996575706
5,-1.64539828
6,-0.50646667
7,-1.063363413
8,-1.40311895
9,0.713595252
10,0.088273196

a search for sourcetype=csv source=foo.csv will return events with fields x and y. (I'm intentionally omitting index and other fields in the example.) For simplicity, you can return known fields with the table command:

sourcetype=csv source=foo.csv
| table x y

Alternatively, you can remove fields you don't want and include all others. Removing the fields from you you identified:

sourcetype=csv source=foo.csv
| fields - "_bkt","_cd","_indextime","_raw","_serial","_si","_sourcetype","_time",host,index,linecount,source,sourcetype,"splunk_server"
| table *

returns a table with a x, y, and any remaining default fields.

Using the search.py example app (earliest and latest not specified):

$ python ~/splunk-app-examples/python/search.py 'search sourcetype=csv source=foo.csv | fields - "_bkt","_cd","_indextime","_raw","_serial","_si","_sourcetype","_time",host,index,linecount,source,sourcetype,"splunk_server" | table *' --output_mode=json --username=xxx --password=xxx

 returns the fields and values expected (extra fields shown):

...,
"fields":[{"name":"eventtype"},{"name":"punct"},{"name":"splunk_server_group"},{"name":"tag"},{"name":"tag::eventtype"},{"name":"timestamp"},{"name":"x"},{"name":"y"},{"name":"_eventtype_color"}],
"results":[{"punct":",.","splunk_server_group":["dmc_group_indexer","dmc_group_kv_store","dmc_group_license_master","dmc_group_search_head"],"timestamp":"none","x":"10","y":"0.088273196"}, ...],
...

 

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

What Is Splunk? Here’s What You Can Do with Splunk

Hey Splunk Community, we know you know Splunk. You likely leverage its unparalleled ability to ingest, index, ...

Level Up Your .conf25: Splunk Arcade Comes to Boston

With .conf25 right around the corner in Boston, there’s a lot to look forward to — inspiring keynotes, ...

Manual Instrumentation with Splunk Observability Cloud: How to Instrument Frontend ...

Although it might seem daunting, as we’ve seen in this series, manual instrumentation can be straightforward ...