Splunk Search

Why is the field extraction only extracting one value?

dannili
Communicator

Hi all, this is one sample I'm trying to extract in order to visualize them in table. But when I select a sample field 8/2/2018 and name it as date, the extracted fields only has one single value instead of 6 dates as I expected.

Date,Spam Detected,Malware Detected,Phishing Email,ATP Safe Links,ATP Safe Attachments,Total Mail Received
8/2/2018,66456,872,1046,3,6,328550
8/3/2018,99360,317,1593,1,2,370798
8/4/2018,81288,58,826,1,0,136444
8/5/2018,60885,75,625,0,0,109609
8/6/2018,59562,851,1595,0,24,344166
8/7/2018,55283,350,460,2,13,284023

This is my props.config:

[****_security]
INDEXED_EXTRACTIONS = csv
FIELD_DELIMITER=,
 
[source::/log/***/****/****_security_stat.csv/*/*/*]
sourcetype = ****_security

Does anyone know how to solve this problem? Thanks in advance!

0 Karma
1 Solution

493669
Super Champion

try this in props.conf-

[****_security]
SHOULD_LINEMERGE = False
INDEXED_EXTRACTIONS = csv
KV_MODE = none

View solution in original post

0 Karma

493669
Super Champion

try this in props.conf-

[****_security]
SHOULD_LINEMERGE = False
INDEXED_EXTRACTIONS = csv
KV_MODE = none
0 Karma

dannili
Communicator

Hi Thanks for your response. But I just tried, it's still not working.

0 Karma

493669
Super Champion

have you restarted splunk to take these effect...also after restarting next time when you ingest new file it will get applied these changes to new file and it will not affect already indexed files

0 Karma

dannili
Communicator

yes I restarted. So you mean these changes will not affect already ingested data? Then guess this could be the reason

0 Karma

493669
Super Champion

yes it won't affect already ingested data

0 Karma

dannili
Communicator

I think I know why it did not work before, the SHOULD_LINEMERGE needs to be all lowercase? anyway thanks

0 Karma

493669
Super Champion

@dannili not required to be in lowercase ...reference https://docs.splunk.com/Documentation/Splunk/7.1.2/Data/Configureeventlinebreaking

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...