Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

FIELD_NAMES for Missing Headers of CSV

emccaslin
Path Finder
‎12-11-2013 12:45 PM

I have a comma separated csv file with missing headers. From the props.conf.spec below it has the configuration setting in your props.conf file:


FIELD_NAMES = [ <string>,..., <string>]
* Some CSV and structured files might have missing headers. This attribute tells Splunk to specify the header field names directly.

My problem is I have been unable to get this to work. I push this into the props.conf file and when the logs are indexed I cannot find the field names.

Example csv file looks like this:



1,2,3,4,5

6,7,8,9,10

The headers should be a,b,c,d,e, so what should I set FIELD_NAMES equal to?

FIELD_NAMES = [a,b,c,d,e]
or
FIELD_NAMES = ["a","b","c","d","e"]
or
FIELD_NAMES = [<a>,<b>,<c>,<d>,<e>]
or
FIELD_NAMES = [<"a">,<"b">,<"c">,<"d">,<"e">]

or some other variation? I tried running btool check on my configurations but it doesn't reject what I have tried.

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

dmaislin_splunk
Splunk Employee
Splunk Employee
‎12-19-2013 11:51 AM

Here is what you need to have:

Some data in a log file:

place1,41.66164,-87.74477
place2,41.66587,-86.894357
place3,41.72614,-85.97314

inputs.conf - Ensure you set a sourcetype

[monitor:///Users/splunker/Desktop/places.log]
sourcetype=geo

props.conf - Referencing the sourcetype

[geo]
SHOULD_LINEMERGE = false
FIELD_NAMES = location,latitude,longitude

alt text

View solution in original post

Reply
Solved! Jump to solution
Solution

dmaislin_splunk
Splunk Employee
Splunk Employee
‎12-19-2013 11:51 AM

Here is what you need to have:

Some data in a log file:

place1,41.66164,-87.74477
place2,41.66587,-86.894357
place3,41.72614,-85.97314

inputs.conf - Ensure you set a sourcetype

[monitor:///Users/splunker/Desktop/places.log]
sourcetype=geo

props.conf - Referencing the sourcetype

[geo]
SHOULD_LINEMERGE = false
FIELD_NAMES = location,latitude,longitude

alt text

Reply
Solved! Jump to solution

dmaislin_splunk
Splunk Employee
Splunk Employee
‎12-19-2013 01:58 PM

Please Accept the answer by selecting the check box next to my answer! Thanks!

0 Karma
Reply
Solved! Jump to solution

emccaslin
Path Finder
‎12-19-2013 01:31 PM

Thank you!

0 Karma
Reply
Solved! Jump to solution

emccaslin
Path Finder
‎12-19-2013 11:09 AM

My data is not enclosed in brackets, and removing the brackets from FIELD_NAMES did not work. Now I am just adding a field extraction and field transformation post-processing to deal with this issue.

0 Karma
Reply
Solved! Jump to solution

lukejadamec
Super Champion
‎12-11-2013 12:59 PM

Try removing the brackets:

FIELD_NAMES = "a","b","c","d","e"

Is your data enclosed in brackets?

0 Karma
Reply
Get Updates on the Splunk Community!

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...

Adoption of Infrastructure Monitoring at Splunk

  Splunk's Growth Engineering team showcases one of their first Splunk product adoption-Splunk Infrastructure ...

Modern way of developing distributed application using OTel

Recently, I had the opportunity to work on a complex microservice using Spring boot and Quarkus to develop a ...