- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
Please let me know how I would write Props Configuration file for this csv file. Segment of sample data for this csv file is given below. Any help will be highly appreciated, thank you!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
![SplunkTrust SplunkTrust](/html/@E48BE65924041B382F8C3220FF058B38/rank_icons/splunk-trust-16.png)
Hi @SplunkDash
can you try this and deploy it to UF not on HF/intermediate forwarder. Restart UF.
## props.conf
[your_sourcetype]
HEADER_FIELD_LINE_NUMBER = 1
INDEXED_EXTRACTIONS = CSV
DATETIME_CONFIG = CURRENT
--
An upvote would be appreciated and Accept the solution if this reply helps!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
![SplunkTrust SplunkTrust](/html/@E48BE65924041B382F8C3220FF058B38/rank_icons/splunk-trust-16.png)
Hi @SplunkDash
can you try this and deploy it to UF not on HF/intermediate forwarder. Restart UF.
## props.conf
[your_sourcetype]
HEADER_FIELD_LINE_NUMBER = 1
INDEXED_EXTRACTIONS = CSV
DATETIME_CONFIG = CURRENT
--
An upvote would be appreciated and Accept the solution if this reply helps!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Since you have structured data with a header you can use the built-in CSV sourcetype. Just set sourcetype = csv inputs.conf on your forwarder.
Or you can create a custom one using INDEXED_EXTRACTIONS = csv
See the documentation below for details and additional settings.
An upvote would be appreciated and Accept Solution if it helps!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you. But, I used
DATETIME_CONFIG=current
SHOULD_LINEMERGE=false
LINE_BREAKER=([\r\n]+)
NO_BINARY_CHECK=true
CHARSET=UTF-8
EVAL-_raw=replace(_raw,"\"","")
INDEXED_EXTRACTIONS=csv
KV_MODE=none
category=Structured
but, showing no events.......when I take off "DATETIME_CONFIG=current" and leave this value blank... it's showing events with error messages ("Failed to parse timestamp"). Any help will be highly appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Where are you putting this? Also, why are you doing replacements on _raw?
An upvote would be appreciated and Accept Solution if it helps!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
_raw just generated automatically from the system when I pull the source file through SPLUNK web console to test my PROPS. It doesn't make any differences if I take off take option
![](/skins/images/89D5ADE867CBAF0B5A525B7E23D83D7E/responsive_peak/images/icon_anonymous_message.png)