Splunk Search

Prop Conf for CSV input data

SplunkDash
Motivator

Hello,

Please let me know how I would write Props Configuration file for this csv file. Segment of sample data for this csv file is given below. Any help will be highly appreciated, thank you!

 

malekmo_1-1626381853803.png

 

 

 

Labels (1)
Tags (1)
0 Karma
1 Solution

venkatasri
SplunkTrust
SplunkTrust

Hi @SplunkDash 

can you try this and deploy it to UF not on HF/intermediate forwarder. Restart UF.

 

## props.conf
[your_sourcetype]
HEADER_FIELD_LINE_NUMBER = 1
INDEXED_EXTRACTIONS = CSV
DATETIME_CONFIG = CURRENT

 

--

An upvote would be appreciated and Accept the solution if this reply helps!

View solution in original post

venkatasri
SplunkTrust
SplunkTrust

Hi @SplunkDash 

can you try this and deploy it to UF not on HF/intermediate forwarder. Restart UF.

 

## props.conf
[your_sourcetype]
HEADER_FIELD_LINE_NUMBER = 1
INDEXED_EXTRACTIONS = CSV
DATETIME_CONFIG = CURRENT

 

--

An upvote would be appreciated and Accept the solution if this reply helps!

codebuilder
Influencer

Since you have structured data with a header you can use the built-in CSV sourcetype. Just set sourcetype = csv inputs.conf on your forwarder.

Or you can create a custom one using INDEXED_EXTRACTIONS = csv
See the documentation below for details and additional settings.

https://docs.splunk.com/Documentation/Splunk/8.2.1/Data/Extractfieldsfromfileswithstructureddata#Use...

----
An upvote would be appreciated and Accept Solution if it helps!
0 Karma

SplunkDash
Motivator

Thank you. But, I used

 

DATETIME_CONFIG=current

SHOULD_LINEMERGE=false

LINE_BREAKER=([\r\n]+)

NO_BINARY_CHECK=true

CHARSET=UTF-8

EVAL-_raw=replace(_raw,"\"","")

INDEXED_EXTRACTIONS=csv

KV_MODE=none

category=Structured

but, showing no events.......when I take off "DATETIME_CONFIG=current" and leave this value blank... it's showing events with error messages ("Failed to parse timestamp"). Any help will be highly appreciated. 

 

0 Karma

codebuilder
Influencer

Where are you putting this? Also, why are you doing replacements on _raw?

----
An upvote would be appreciated and Accept Solution if it helps!
0 Karma

SplunkDash
Motivator

_raw  just generated automatically from the system when I pull the source file  through SPLUNK web console to test my PROPS. It doesn't make any differences if I take off take option

0 Karma
Get Updates on the Splunk Community!

Cloud Platform & Enterprise: Classic Dashboard Export Feature Deprecation

As of Splunk Cloud Platform 9.3.2408 and Splunk Enterprise 9.4, classic dashboard export features are now ...

Explore the Latest Educational Offerings from Splunk (November Releases)

At Splunk Education, we are committed to providing a robust learning experience for all users, regardless of ...

New This Month in Splunk Observability Cloud - Metrics Usage Analytics, Enhanced K8s ...

The latest enhancements across the Splunk Observability portfolio deliver greater flexibility, better data and ...