- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Why is the field extraction only extracting on...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi all, this is one sample I'm trying to extract in order to visualize them in table. But when I select a sample field 8/2/2018 and name it as date, the extracted fields only has one single value instead of 6 dates as I expected.
Date,Spam Detected,Malware Detected,Phishing Email,ATP Safe Links,ATP Safe Attachments,Total Mail Received
8/2/2018,66456,872,1046,3,6,328550
8/3/2018,99360,317,1593,1,2,370798
8/4/2018,81288,58,826,1,0,136444
8/5/2018,60885,75,625,0,0,109609
8/6/2018,59562,851,1595,0,24,344166
8/7/2018,55283,350,460,2,13,284023
This is my props.config:
[****_security]
INDEXED_EXTRACTIONS = csv
FIELD_DELIMITER=,
[source::/log/***/****/****_security_stat.csv/*/*/*]
sourcetype = ****_security
Does anyone know how to solve this problem? Thanks in advance!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
try this in props.conf-
[****_security]
SHOULD_LINEMERGE = False
INDEXED_EXTRACTIONS = csv
KV_MODE = none
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
try this in props.conf-
[****_security]
SHOULD_LINEMERGE = False
INDEXED_EXTRACTIONS = csv
KV_MODE = none
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Thanks for your response. But I just tried, it's still not working.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
have you restarted splunk to take these effect...also after restarting next time when you ingest new file it will get applied these changes to new file and it will not affect already indexed files
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
yes I restarted. So you mean these changes will not affect already ingested data? Then guess this could be the reason
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
yes it won't affect already ingested data
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I think I know why it did not work before, the SHOULD_LINEMERGE needs to be all lowercase? anyway thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@dannili not required to be in lowercase ...reference https://docs.splunk.com/Documentation/Splunk/7.1.2/Data/Configureeventlinebreaking
Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey
Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...
Monitoring Amazon Elastic Kubernetes Service (EKS)
