Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

csv extrtactions not working

saifuddin9122
Path Finder
‎12-29-2016 08:00 AM

Hello

am trying to ingest csv data into splunk.

inputs.conf
[monitor:///tmp/mycsv/test.csv]
sourcetype=mytest
index=csvfiles
disabled=false

and my props.conf looks like
[mytest]
INDEXED_EXTRACTIONS = CSV
HEADER_FIELD_LINE_NUMBER = 1
SHOULD_LINEMERGE = false
LINE_BREAKER = ([\r\n]+)

when i search my data it is not extracting any fields.

can any one help me in solving this

Here is my csv file example

"_id","timestamp","eventName","transactionId","userId","trackingIds","runAs","objectId","operation","before","after","changedFields","revision","component","realm"
"123ab-776df","2016-12-19T13:42:41.001Z","session-timed-out","125-vca310324","id=abc,ab=user","[123aser445]",id=qr1249,ab=user","96c1c88","delete","","","","","session","/"

Thanks in advance

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎12-29-2016 08:34 AM

Hi saifuddin9122,
how are you receiving events, from a Forwarder or from a local drive?
if you are using a forwarder, you have to deploy props.conf in both Splunk server and Forwarders and inputs.conf on forwarders.
Bye.
Giuseppe

View solution in original post

0 Karma
Reply
Solved! Jump to solution

niketn
Legend
‎12-29-2016 09:38 AM

I have tried almost similar props.conf for csv sourcetype and field extraction worked fine for me.

PS: id=qr1249,ab=user" in your data should begin with double quotes. Can you please try to add a single csv file with Data Preview turned on? By default Splunk will apply csv sourcetype, on top of which you can tell first line to be Header line and timestamp column to be time field. Once preview is as per your need you can save sourcetype as Custom > mytest_csv , as per your need.

[mytest_csv ]
SHOULD_LINEMERGE=false
NO_BINARY_CHECK=true
CHARSET=AUTO
INDEXED_EXTRACTIONS=csv
category=Structured
description=Custom Comma-separated value. Header field line is 1. Timestamp column is timestamp.
disabled=false
HEADER_FIELD_LINE_NUMBER=1
TIMESTAMP_FIELDS=timestamp

alt text

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
Preview file
110 KB
Preview file
110 KB
0 Karma
Reply
Solved! Jump to solution

saifuddin9122
Path Finder
‎12-29-2016 09:00 AM

i tried it other way also. i just wrote transforms.conf in which i specified DELIMS and FILEDS. it is also working but the only problem am facing by doing this is, the header field is also getting ingested.

0 Karma
Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎12-29-2016 08:34 AM

Hi saifuddin9122,
how are you receiving events, from a Forwarder or from a local drive?
if you are using a forwarder, you have to deploy props.conf in both Splunk server and Forwarders and inputs.conf on forwarders.
Bye.
Giuseppe

0 Karma
Reply
Solved! Jump to solution

saifuddin9122
Path Finder
‎12-29-2016 08:56 AM

Thanks For the reply....
it worked for me

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎12-29-2016 08:23 AM

Since this is structured data file, the props.conf should be on the forwarder where you're monitoring the file. See this:

http://docs.splunk.com/Documentation/Splunk/6.5.1/Data/Extractfieldsfromfileswithstructureddata#Forw...

Where have you put your props.conf file?

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

Hello Splunkers,  We’re excited to kick off a Splunk Dashboard contest! We know that dashboards are a primary ...

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...