Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: How to properly parse a CSV file with embedded...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to properly parse a CSV file with embedded double quotes on the end of a field before the file is indexed?
jhuysing
Explorer
12-14-2015
03:45 PM
The field ends with a protected quote followed by another quote
Ex:
"field1",field2", "field3-sdasds\"textdata blah blah\"", "field4-#$%232",
The embedded quotes are protected, but when the files are processed, it doesn't split the fields correctly and field 3 and 4 end up together.
I have experimented with adding a space between the protected quote and field terminating quote and it seems to work.
field1",field2", "field3-sdasds\"textdata blah blah\" ", "field4-#$%232"
Is there someway to do this automatically before the files are indexed?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
jhuysing
Explorer
12-14-2015
04:04 PM
field3 should look like this "field3-sdasds\"textdata blah blah\"", "field4-#$%232"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
jhuysing
Explorer
12-14-2015
04:08 PM
try this again
field3 should look like this "field3-sdasds\"textdata blah blah\"", "field4-#$%232"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
jhuysing
Explorer
12-14-2015
04:09 PM
ok how do enter backslashes here so they don't get absorbed
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ppablo
Retired
12-14-2015
05:27 PM
Hi @jhuysing
To get backslashes to render properly, you have to wrap your line of text in back ticks like this so lines like \backslash\backslash\ \ \ will show up as expected. If you're every sharing a .conf stanza, it's best to highlight the entire block and click on the "Code Sample" button in the text editing tools above the text box, especially when showing anything with regular expressions. For example:
[stanza]
REGEX = *\<&>\*
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
andrew207
Path Finder
12-14-2015
03:53 PM
You're gonna have to escape the rogue quote.
field1",field2", "field3-sdasds"textdata blah blah\" ", "field4-#$%232"
Any quote that's supposed to be ingested as data rather than a delimiter should be escaped by whatever software is constructing the logs.
Get Updates on the Splunk Community!
The All New Performance Insights for Splunk
Splunk gives you amazing tools to analyze system data and make business-critical decisions, react to issues, ...
Good Sourcetype Naming
When it comes to getting data in, one of the earliest decisions made is what to use as a sourcetype. Often, ...
See your relevant APM services, dashboards, and alerts in one place with the updated ...
As a Splunk Observability user, you have a lot of data you have to manage, prioritize, and troubleshoot on a ...
