Solved: Creating fields based on a comma seperated list of...

sourabhguha · ‎10-26-2013

Hi,

I am indexing a set of csv files. the files do not have the header fields in it.

While I am creating the sourcetype, I would like to specify the following fields name for the sourcetype - which is a comma separated list. How can i do that?

tenant,MGId,HostGroup,TotalVMsPerHG,TotalpCoreForHG,UsedpCoreForHG,FreepCoreForHG,CoreAvailabilityPercentForHG,

Ayn · ‎10-27-2013

Setup a delimiter based field extraction in props.conf / transforms.conf.

In props.conf, you put something like:

[yoursourcetype]
REPORT = getcsvfields

And in transforms.conf:

[getcsvfields]
DELIMS = ","
FIELDS = tenant,MGId,HostGroup,TotalVMsPerHG,TotalpCoreForHG,UsedpCoreForHG,FreepCoreForHG,CoreAvailabilityPercentForHG

View solution in original post

Ayn · ‎10-27-2013

Setup a delimiter based field extraction in props.conf / transforms.conf.

In props.conf, you put something like:

[yoursourcetype]
REPORT = getcsvfields

And in transforms.conf:

[getcsvfields]
DELIMS = ","
FIELDS = tenant,MGId,HostGroup,TotalVMsPerHG,TotalpCoreForHG,UsedpCoreForHG,FreepCoreForHG,CoreAvailabilityPercentForHG

Creating fields based on a comma seperated list of values

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Announcing Modern Navigation: A New Era of Splunk User Experience

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

Join the Conversation