Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: How to properly parse a CSV file with embedded...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to properly parse a CSV file with embedded double quotes on the end of a field before the file is indexed?
The field ends with a protected quote followed by another quote
Ex:
"field1",field2", "field3-sdasds\"textdata blah blah\"", "field4-#$%232",
The embedded quotes are protected, but when the files are processed, it doesn't split the fields correctly and field 3 and 4 end up together.
I have experimented with adding a space between the protected quote and field terminating quote and it seems to work.
field1",field2", "field3-sdasds\"textdata blah blah\" ", "field4-#$%232"
Is there someway to do this automatically before the files are indexed?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
field3 should look like this "field3-sdasds\"textdata blah blah\"", "field4-#$%232"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
try this again
field3 should look like this "field3-sdasds\"textdata blah blah\"", "field4-#$%232"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ok how do enter backslashes here so they don't get absorbed
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @jhuysing
To get backslashes to render properly, you have to wrap your line of text in back ticks like this so lines like \backslash\backslash\ \ \ will show up as expected. If you're every sharing a .conf stanza, it's best to highlight the entire block and click on the "Code Sample" button in the text editing tools above the text box, especially when showing anything with regular expressions. For example:
[stanza]
REGEX = *\<&>\*
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You're gonna have to escape the rogue quote.
field1",field2", "field3-sdasds"textdata blah blah\" ", "field4-#$%232"
Any quote that's supposed to be ingested as data rather than a delimiter should be escaped by whatever software is constructing the logs.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Announcing Modern Navigation: A New Era of Splunk User Experience
Observability Simplified: Combining User Experience, Application Performance & ...
Event Series May & June: From Network Visibility to Service Intelligence
