Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Why am I unable to extract all fields from a CSV log in Splunk 6.2.5?

dcascione
Explorer
‎03-29-2016 11:40 AM

I'm trying to extract fields from a basic .csv log with no luck.

Here is the file how it looks in Splunk 6.2.5..
alt text

When I try to configure a field extraction, Splunk only recognizes the very first instance....
alt text

Any help would be greatly appreciated - thanks!

Preview file
1 KB
Preview file
1 KB
0 Karma
Reply

woodcock
Esteemed Legend
‎03-29-2016 08:06 PM

In props.conf you need KV_MODE=multi
- Used for search-time field extractions only.
- Specifies the field/value extraction mode for the data.

0 Karma
Reply

cpraznowski_spl
Splunk Employee
Splunk Employee
‎03-29-2016 12:30 PM

The data is being loaded into a single event.

Should it break thusly?
3/29/2016,APC-DEV,-,0,0,0,0
3/29/2016,MPC-TEMP,0,3,03

If that's so, please let me know...

0 Karma
Reply

dcascione
Explorer
‎03-29-2016 12:38 PM

Yes, This is how I would like to see the log file break....

0 Karma
Reply

cpraznowski_spl
Splunk Employee
Splunk Employee
‎03-29-2016 12:49 PM

got it....that's the problem, need to break after the carriage return.

1) When you ingest the file, you need to create a new custom sourcetype.
2) in $splunk/etc/apps/search/local .... you'll see that new sourcetype referenced.
3) you need to instruct splunk to break after each line: LINE_BREAKER = ([\r\n]+)

...or the props.conf on the deployment server should work as well....

http://docs.splunk.com/Documentation/Splunk/6.2.5/Data/Indexmulti-lineevents

0 Karma
Reply

woodcock
Esteemed Legend
‎03-29-2016 12:25 PM

I assume you are using rex so you need to use the max_match=0 option.

0 Karma
Reply

dcascione
Explorer
‎03-29-2016 12:40 PM

Should this option be added to the props.conf located here: /opt/splunk/etc/deployment-apps/app_common/local ?

0 Karma
Reply

woodcock
Esteemed Legend
‎03-29-2016 08:02 PM

You did not mention props.conf in your question so we had to guess. That is why it is important to clearly spell out what you have done so far. No, max_match is not part of the props.conf way of extracting fields. I will post another answer.

0 Karma
Reply

cpraznowski_spl
Splunk Employee
Splunk Employee
‎03-29-2016 04:10 PM

When you go to production yes, tthe props.conf will then get sent to the forwarder that is collecting the data.

But for now you can test in : in $splunk/etc/apps/search/local .. and local the file a local directory to test...does that make sense?

0 Karma
Reply
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...