Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Why fields from CSV are not being extracted?

rbacon
Path Finder
‎08-01-2014 12:20 PM

I'm getting data from forwarders that are polling a CSV file. However the fields from the CSV are not being extracted. The file contents look something like: "FieldOne","FieldsTwo","FieldThree","FieldFour".

On the deploy server I have configured an app that gets deployed to all of the indexers and forwarders and the data is indexed into a new sourcetype and a new index. Following are the configurations that are deployed to the indexers and forwarders:

inputs.conf

[monitor://D:\Program Files (x86)\reports\splunk\lists.csv]
disabled = false
followTail = 0
index = lists
sourcetype = lists:reports

props.conf

[source::D:\Program Files (x86)\reports\splunk\lists.csv]

[lists:reports]
FIELD_DELIMITER=,
FIELD_QUOTE = "
DATETIME_CONFIG = CURRENT
INDEXED_EXTRACTIONS = csv
NO_BINARY_CHECK = 1
SHOULD_LINEMERGE = false

I didn't configure a transforms.conf file. Thanks for your help!

0 Karma
Reply

Lamar
Splunk Employee
Splunk Employee
‎05-06-2015 04:38 AM

I recently had this same problem. The way I fixed it was by removing the FIELD_DELIMITER argument. I don't think it's something that you need since you're already defining what the delimiter is with 'INDEXED_EXTRACTIONS = csv'.

This behavior could be a bug or an intended feature of the configuration. FIELD_DELIMITER, I believe, is designed to allow the use of additional special characters in the event that one of the default INDEXED_EXTRACTIONS values aren't what your data supports.

0 Karma
Reply

gschmitz
Path Finder
‎09-07-2014 06:46 PM

Unfortunately no.

0 Karma
Reply

chris
Motivator
‎09-07-2014 12:24 PM

You are on Splunk 6 right (indexers & forwarders)? And there aren't any entries in the learned app that might interfer?

0 Karma
Reply

MuS
Legend
‎09-04-2014 02:04 AM

Hi rbacon & gschmitz,

I think the problem is your (x86) in the path, which will be handled as regex see the docs about Specify input paths with wild cards.
Try using quotes around the path and / or use this fancy tool http://blogs.splunk.com/?s=christmas to debug.

hope this helps ...

cheers, MuS

0 Karma
Reply

gschmitz
Path Finder
‎09-04-2014 01:33 AM

Hi,

I think I have the same problem. Did you manage to solve yours?

http://answers.splunk.com/answers/154071/csv-is-not-extracted-at-index-time

0 Karma
Reply
Get Updates on the Splunk Community!

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...

Detecting Remote Code Executions With the Splunk Threat Research Team

REGISTER NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If ...