Getting Data In

Hunk is not displaying custom fields for csv in time of searching

nil_pakhi
Engager

Hi,
I am new to hunk.I have integrated hunk 6.2 with HDP 2.1.I am trying to do search on CSV using Hunk which are exported using sqoop?
My problem is after defining custom fields for a CSV file, those are not showing when I do searching in Hunk.
Headers already added in props.conf

[csv-emp]
FIELD_NAMES = versionno,id,empid,createdby,updatedby,createddate,updateddate
INDEXED_EXTRACTIONS = csv
KV_MODE = none
NO_BINARY_CHECK = true
SHOULD_LINEMERGE = false
category = Custom
description = Comma-separated value format. Set header and other settings in "Delimited Settings"
disabled = false
pulldown_type = true

search query :
index="etms" source="/apps/sqoop/db/employee_address/part-m-00000" sourcetype="csv-emp"

what I need to do for filtering by custom fields in search time?

Tags (3)
0 Karma

Ledion_Bitincka
Splunk Employee
Splunk Employee

INDEXED_EXTRACTIONS are not supported in Hunk. However Hunk is able to automatically recognize structured data files, especially csv - in this case it is failing because of the lack of the file extension. If the files contain headers (ie first line == header) you can do the following

[vix]
... 
vix.input.1.recordreader = com.splunk.mr.input.SimpleCSVRecordReader
vix.input.1.recordreader.csv.regex = /part-m-\d+$

If the files do not contain headers (as they seem to be the output of MR job) you should use delimiter based KV extraction:

.../local/props.conf

[csv-emp]
REPORT-emp-fields = emp-fields
KV_MODE = none
NO_BINARY_CHECK = true
SHOULD_LINEMERGE = false
category = Custom
description = Comma-separated value format. Set header and other settings in "Delimited Settings"
pulldown_type = true

.../local/transforms.conf

[emp-fields]
DELIMS = ","
FIELDS =  versionno,id,empid,createdby,updatedby,createddate,updateddate

nil_pakhi
Engager

Thanks It works.But I had to define some additional changes.
I mentioned source for the file.

[source::/apps/sqoop/db/employee_address/part-m-00000]
sourcetype = csv-emp

The other problem is the fields in searching result could not recognize the datatypes.How can I define data type in the source type?

0 Karma

Ledion_Bitincka
Splunk Employee
Splunk Employee

The other problem is the fields in searching result could not recognize
the datatypes.How can I define data type in the source type?

In Hunk/Splunk you don't need to define datatypes, they're automatically detected/converted at operation time. Are you running into any specific issues?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...