I'm trying to index a .CSV, created by tasklist.
CVS's headers and fields never get properly recognized and it gets indexed as a whole array:
"Image Name","PID","Session Name","Session#","Mem Usage","Status","User Name","CPU Time","Window Title"
"System Idle Process","0","Services","0","24 K","Unknown","NT AUTHORITY SYSTEM","2:07:39","N/A"
"System","4","Services","0","300 K","Unknown","N/A","0:00:07","N/A" "smss.exe","344","Services","0","1,204 K","Unknown","N/A","0:00:00","N/A" "csrss.exe","448","Services","0","5,028 K","Unknown","N/A","0:00:00","N/A" "csrss.exe","504","Console","1","3,772 K","Unknown","N/A","0:00:00","N/A"
"wininit.exe","512","Services","0","4,500 K","Unknown","N/A","0:00:00","N/A"
"winlogon.exe","540","Console","1","4,476 K","Unknown","N/A","0:00:00","N/A"
"services.exe","604","Services","0","8,700 K","Unknown","N/A","0:00:02","N/A"
"lsass.exe","612","Services","0","13,624 K","Unknown","N/A","0:00:01","N/A"
"lsm.exe","620","Services","0","6,016 K","Unknown","N/A","0:00:00","N/A"
inputs.conf
[batch://$SPLUNK_HOME\TEMP]
move_policy = sinkhole
interval = 60
source = transformfile
sourcetype = transformfile
disabled = 0
props.conf
[source::TRANSFORMFILE]
CHECK__FOR _HEADER=TRUE
SHOULD _LINEMERGE = false
TRANSFORM-transformfile = phy_csv
transforms.conf
[phy_csv]
DELIMS=","
FIELDS="Image Name", "PID", "Session Name", "Session#", "Mem Usage", "Status", "User Name", "CPU Time", "Window Title"
Any help here?
... View more