Thank you for the answer, it makes sense. I didn't realize that Splunk will look for a csv header even if the data values appear as kv pair. This makes sense now. Is there a recommended extension for a kv pair file (*.txt maybe?).
And I am hoping if I ingest the exact same file as a *.txt, the "keys" will appear on the right hand side as it is ( ProductType=abc will appear as ProductType and not ProductType_abc , even if ProductType=abc is in the first line, correct?
... View more
I am a new user to Splunk Enterprise and have a basic question on how Splunk parses and displays data.
I am feeding a few .csv files (timestamp, kv pair) as my input. I was hoping that Splunk would automatically detect the "key" and show it as a field on the right hand side (under Interesting Fields). And that's what is happening for the most part, but it is also appending a value with _. e.g. One of the fields is ProductType and it can appear as ProductType=abc, or ProductType=cde or ProductType=xyz.
What I have noticed is that if there is only one iteration of ProductType=abc and multiple iterations of other two, Splunk will show "ProductType_abc" under "Interesting Fields". But, when I click on it, it does show all three so I can still sort.
I learned that we can change config files, and also pre-define source fields, but my access is pretty locked down and don't have direct access to config/sys data. Is there anything I can do in my source file that will make Splunk show just the "Keys" under Interesting fields and not club them with any of the values?
... View more