Splunk Search

Prop Conf for CSV input data

SplunkDash
Motivator

Hello,

Please let me know how I would write Props Configuration file for this csv file. Segment of sample data for this csv file is given below. Any help will be highly appreciated, thank you!

 

malekmo_1-1626381853803.png

 

 

 

Labels (1)
Tags (1)
0 Karma
1 Solution

venkatasri
SplunkTrust
SplunkTrust

Hi @SplunkDash 

can you try this and deploy it to UF not on HF/intermediate forwarder. Restart UF.

 

## props.conf
[your_sourcetype]
HEADER_FIELD_LINE_NUMBER = 1
INDEXED_EXTRACTIONS = CSV
DATETIME_CONFIG = CURRENT

 

--

An upvote would be appreciated and Accept the solution if this reply helps!

View solution in original post

venkatasri
SplunkTrust
SplunkTrust

Hi @SplunkDash 

can you try this and deploy it to UF not on HF/intermediate forwarder. Restart UF.

 

## props.conf
[your_sourcetype]
HEADER_FIELD_LINE_NUMBER = 1
INDEXED_EXTRACTIONS = CSV
DATETIME_CONFIG = CURRENT

 

--

An upvote would be appreciated and Accept the solution if this reply helps!

codebuilder
Influencer

Since you have structured data with a header you can use the built-in CSV sourcetype. Just set sourcetype = csv inputs.conf on your forwarder.

Or you can create a custom one using INDEXED_EXTRACTIONS = csv
See the documentation below for details and additional settings.

https://docs.splunk.com/Documentation/Splunk/8.2.1/Data/Extractfieldsfromfileswithstructureddata#Use...

----
An upvote would be appreciated and Accept Solution if it helps!
0 Karma

SplunkDash
Motivator

Thank you. But, I used

 

DATETIME_CONFIG=current

SHOULD_LINEMERGE=false

LINE_BREAKER=([\r\n]+)

NO_BINARY_CHECK=true

CHARSET=UTF-8

EVAL-_raw=replace(_raw,"\"","")

INDEXED_EXTRACTIONS=csv

KV_MODE=none

category=Structured

but, showing no events.......when I take off "DATETIME_CONFIG=current" and leave this value blank... it's showing events with error messages ("Failed to parse timestamp"). Any help will be highly appreciated. 

 

0 Karma

codebuilder
Influencer

Where are you putting this? Also, why are you doing replacements on _raw?

----
An upvote would be appreciated and Accept Solution if it helps!
0 Karma

SplunkDash
Motivator

_raw  just generated automatically from the system when I pull the source file  through SPLUNK web console to test my PROPS. It doesn't make any differences if I take off take option

0 Karma
Get Updates on the Splunk Community!

Index This | Divide 100 by half. What do you get?

November 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!

❄️ Celebrate the season with our December lineup of Community Office Hours, Tech Talks, and Webinars! ...

Splunk and Fraud

Watch Now!Watch an insightful webinar where we delve into the innovative approaches to solving fraud using the ...