Hi Abeeber,
Its best way to keep the field names on the top of the csv. Splunk will pick automatically the as field_name.
file1.csv:
_time,IP,lOC
2016-03-08T23:02:31.000+00:00,10.10.10.1,US
2016-03-08T23:02:31.000+00:00,10.10.10.2,JAP
2016-03-08T23:02:31.000+00:00,10.10.10.3,IND
settings -> Add Data, Monitor--> files and dir( file.csv)
After adding the data you can see in the props.conf -
[checking]
DATETIME_CONFIG =
INDEXED_EXTRACTIONS = csv
KV_MODE = none
NO_BINARY_CHECK = true
SHOULD_LINEMERGE = false
category = Structured
description = Comma-separated value format. Set header and other settings in "Delimited Settings"
disabled = false
pulldown_type = true
You can directly search with the field names [ _time,IP,lOC ]
Regards,
Nagee.
... View more