Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Why am I unable to extract all fields from a CSV log in Splunk 6.2.5?

dcascione
Explorer
‎03-29-2016 11:40 AM

I'm trying to extract fields from a basic .csv log with no luck.

Here is the file how it looks in Splunk 6.2.5..
alt text

When I try to configure a field extraction, Splunk only recognizes the very first instance....
alt text

Any help would be greatly appreciated - thanks!

Preview file
1 KB
Preview file
1 KB
0 Karma
Reply

woodcock
Esteemed Legend
‎03-29-2016 08:06 PM

In props.conf you need KV_MODE=multi
- Used for search-time field extractions only.
- Specifies the field/value extraction mode for the data.

0 Karma
Reply

cpraznowski_spl
Splunk Employee
Splunk Employee
‎03-29-2016 12:30 PM

The data is being loaded into a single event.

Should it break thusly?
3/29/2016,APC-DEV,-,0,0,0,0
3/29/2016,MPC-TEMP,0,3,03

If that's so, please let me know...

0 Karma
Reply

dcascione
Explorer
‎03-29-2016 12:38 PM

Yes, This is how I would like to see the log file break....

0 Karma
Reply

cpraznowski_spl
Splunk Employee
Splunk Employee
‎03-29-2016 12:49 PM

got it....that's the problem, need to break after the carriage return.

1) When you ingest the file, you need to create a new custom sourcetype.
2) in $splunk/etc/apps/search/local .... you'll see that new sourcetype referenced.
3) you need to instruct splunk to break after each line: LINE_BREAKER = ([\r\n]+)

...or the props.conf on the deployment server should work as well....

http://docs.splunk.com/Documentation/Splunk/6.2.5/Data/Indexmulti-lineevents

0 Karma
Reply

woodcock
Esteemed Legend
‎03-29-2016 12:25 PM

I assume you are using rex so you need to use the max_match=0 option.

0 Karma
Reply

dcascione
Explorer
‎03-29-2016 12:40 PM

Should this option be added to the props.conf located here: /opt/splunk/etc/deployment-apps/app_common/local ?

0 Karma
Reply

woodcock
Esteemed Legend
‎03-29-2016 08:02 PM

You did not mention props.conf in your question so we had to guess. That is why it is important to clearly spell out what you have done so far. No, max_match is not part of the props.conf way of extracting fields. I will post another answer.

0 Karma
Reply

cpraznowski_spl
Splunk Employee
Splunk Employee
‎03-29-2016 04:10 PM

When you go to production yes, tthe props.conf will then get sent to the forwarder that is collecting the data.

But for now you can test in : in $splunk/etc/apps/search/local .. and local the file a local directory to test...does that make sense?

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...