Good morning. I hope you can help.

I am currently trying to monitor specific files (in .csv format) that are updated every 10 minutes or so on a server. I have changed the inputs.conf file for the App in question and I can get the data in to Splunk.

The problem I have is that the headers appear within the raw event data and also it seems that the events are not separating correctly.

Here is an example of the raw event data (bold being the headers):

TYPE Name.Possible.Management.NameCmdlets.Model.NameName "RequestId","CreatorID","Justification","CreationTime","CreationTimeLocal","CreationMethod","ExpirationTime","ExpirationTimeLocal","RoleId","RequestedTTL","RequestedTime","RequestedTimeLocal","RequestStatus" "564524-0343-4856-97b-6aaeh7244c38","6fk6feac-9i6f-4433-b5a3-9e1cef6jfabf","Checking MAP access/roles after rebuild","21/10/2016 12:40:58","21/10/2016 13:40:58","MAP Web API","21/10/2016 12:47:31","21/10/2016 13:47:31","b0h760c5-dj7c-444-915e-9abbce10000","3600","21/10/2016 12:40:49","21/10/2016 13:40:49","Closed" "6a424414f-d77d-4777-a777-fb7777-7d70d","6f9999-9e0f-4999-b5a3-9e99998c3bf","Testing access to domain and script to install agents","30/11/2016 11:46:21","30/11/2016 11:46:21","MAP Web API","30/11/2016 12:30:57","30/11/2016 12:30:57","b099999-d99c-4299-9999-9ab99999ad7","3600","30/11/2016 11:46:19","30/11/2016 11:46:19",

It seems though that after CLOSED, this should be a separated event, beginning again to match header with data.

Two questions, (1) how do I sort this so that the headers are removed/split from the event data so that I can normalise and extract fields to present in a table AND (2) how do I separate the attached events?

I have spent a huge amount of time with this so far and have not managed to make any progress so any help would be hugely appreciated.

Kind regards,

Rob.