Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to properly parse a CSV file with embedded double quotes on the end of a field before the file is indexed?

jhuysing
Explorer
‎12-14-2015 03:45 PM

The field ends with a protected quote followed by another quote

Ex:

 "field1",field2", "field3-sdasds\"textdata blah blah\"", "field4-#$%232",

The embedded quotes are protected, but when the files are processed, it doesn't split the fields correctly and field 3 and 4 end up together.

I have experimented with adding a space between the protected quote and field terminating quote and it seems to work.

field1",field2", "field3-sdasds\"textdata blah blah\" ", "field4-#$%232"

Is there someway to do this automatically before the files are indexed?

0 Karma
Reply

jhuysing
Explorer
‎12-14-2015 04:04 PM

field3 should look like this "field3-sdasds\"textdata blah blah\"", "field4-#$%232"

0 Karma
Reply

jhuysing
Explorer
‎12-14-2015 04:08 PM

try this again

field3 should look like this "field3-sdasds\"textdata blah blah\"", "field4-#$%232"

0 Karma
Reply

jhuysing
Explorer
‎12-14-2015 04:09 PM

ok how do enter backslashes here so they don't get absorbed

0 Karma
Reply

ppablo
Retired
‎12-14-2015 05:27 PM

Hi @jhuysing

To get backslashes to render properly, you have to wrap your line of text in back ticks like this so lines like \backslash\backslash\ \ \ will show up as expected. If you're every sharing a .conf stanza, it's best to highlight the entire block and click on the "Code Sample" button in the text editing tools above the text box, especially when showing anything with regular expressions. For example:

[stanza]
REGEX = *\<&>\*
0 Karma
Reply

andrew207
Path Finder
‎12-14-2015 03:53 PM

You're gonna have to escape the rogue quote.
field1",field2", "field3-sdasds"textdata blah blah\" ", "field4-#$%232"
Any quote that's supposed to be ingested as data rather than a delimiter should be escaped by whatever software is constructing the logs.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Community Content Calendar, September edition

Welcome to another insightful post from our Community Content Calendar! We're thrilled to continue bringing ...

Splunkbase Unveils New App Listing Management Public Preview

Splunkbase Unveils New App Listing Management Public PreviewWe're thrilled to announce the public preview of ...

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...