Splunk Search

Prop Conf for CSV input data

SplunkDash
Motivator

Hello,

Please let me know how I would write Props Configuration file for this csv file. Segment of sample data for this csv file is given below. Any help will be highly appreciated, thank you!

 

malekmo_1-1626381853803.png

 

 

 

Labels (1)
Tags (1)
0 Karma
1 Solution

venkatasri
SplunkTrust
SplunkTrust

Hi @SplunkDash 

can you try this and deploy it to UF not on HF/intermediate forwarder. Restart UF.

 

## props.conf
[your_sourcetype]
HEADER_FIELD_LINE_NUMBER = 1
INDEXED_EXTRACTIONS = CSV
DATETIME_CONFIG = CURRENT

 

--

An upvote would be appreciated and Accept the solution if this reply helps!

View solution in original post

venkatasri
SplunkTrust
SplunkTrust

Hi @SplunkDash 

can you try this and deploy it to UF not on HF/intermediate forwarder. Restart UF.

 

## props.conf
[your_sourcetype]
HEADER_FIELD_LINE_NUMBER = 1
INDEXED_EXTRACTIONS = CSV
DATETIME_CONFIG = CURRENT

 

--

An upvote would be appreciated and Accept the solution if this reply helps!

codebuilder
Influencer

Since you have structured data with a header you can use the built-in CSV sourcetype. Just set sourcetype = csv inputs.conf on your forwarder.

Or you can create a custom one using INDEXED_EXTRACTIONS = csv
See the documentation below for details and additional settings.

https://docs.splunk.com/Documentation/Splunk/8.2.1/Data/Extractfieldsfromfileswithstructureddata#Use...

----
An upvote would be appreciated and Accept Solution if it helps!
0 Karma

SplunkDash
Motivator

Thank you. But, I used

 

DATETIME_CONFIG=current

SHOULD_LINEMERGE=false

LINE_BREAKER=([\r\n]+)

NO_BINARY_CHECK=true

CHARSET=UTF-8

EVAL-_raw=replace(_raw,"\"","")

INDEXED_EXTRACTIONS=csv

KV_MODE=none

category=Structured

but, showing no events.......when I take off "DATETIME_CONFIG=current" and leave this value blank... it's showing events with error messages ("Failed to parse timestamp"). Any help will be highly appreciated. 

 

0 Karma

codebuilder
Influencer

Where are you putting this? Also, why are you doing replacements on _raw?

----
An upvote would be appreciated and Accept Solution if it helps!
0 Karma

SplunkDash
Motivator

_raw  just generated automatically from the system when I pull the source file  through SPLUNK web console to test my PROPS. It doesn't make any differences if I take off take option

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...