Splunk Enterprise

Splunk parsing and displaying data: What can I do in my source file to make Splunk show just the "Keys" under Interesting fields and not club them with any of the values?

samsingla
New Member

I am a new user to Splunk Enterprise and have a basic question on how Splunk parses and displays data.

I am feeding a few .csv files (timestamp, kv pair) as my input. I was hoping that Splunk would automatically detect the "key" and show it as a field on the right hand side (under Interesting Fields). And that's what is happening for the most part, but it is also appending a value with _. e.g. One of the fields is ProductType and it can appear as ProductType=abc, or ProductType=cde or ProductType=xyz.

What I have noticed is that if there is only one iteration of ProductType=abc and multiple iterations of other two, Splunk will show "ProductType_abc" under "Interesting Fields". But, when I click on it, it does show all three so I can still sort.

I learned that we can change config files, and also pre-define source fields, but my access is pretty locked down and don't have direct access to config/sys data. Is there anything I can do in my source file that will make Splunk show just the "Keys" under Interesting fields and not club them with any of the values?

0 Karma
1 Solution

DalJeanis
Legend

As described, this may be a problem with your csv layout and/or with ingestion.

Normally, in a csv, the first line establishes the names of the fields. Any odd characters in the column header are cleaned by splunk and replaced by underscores. Thus, if you have a column whose header says ProductType=abc, that field name will be rendered as ProductType_abc. If you are getting a field named that, and the values are ProductType_abc, ProductType_xyz and so on, then what you have is not exactly a csv, but a file with key-value pairs that are separated by commas.

View solution in original post

0 Karma

DalJeanis
Legend

As described, this may be a problem with your csv layout and/or with ingestion.

Normally, in a csv, the first line establishes the names of the fields. Any odd characters in the column header are cleaned by splunk and replaced by underscores. Thus, if you have a column whose header says ProductType=abc, that field name will be rendered as ProductType_abc. If you are getting a field named that, and the values are ProductType_abc, ProductType_xyz and so on, then what you have is not exactly a csv, but a file with key-value pairs that are separated by commas.

0 Karma

samsingla
New Member

Thank you for the answer, it makes sense. I didn't realize that Splunk will look for a csv header even if the data values appear as kv pair. This makes sense now. Is there a recommended extension for a kv pair file (*.txt maybe?).

And I am hoping if I ingest the exact same file as a *.txt, the "keys" will appear on the right hand side as it is (ProductType=abc will appear as ProductType and not ProductType_abc, even if ProductType=abc is in the first line, correct?

0 Karma

DalJeanis
Legend

The first line is a data line, so yes, any ingestion method that tells the system to extract the kv pairs will work. Try using the GUI to ingest the data into a test instance, and let splunk walk you thru the process. You should be able to find the right method pretty quickly.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...