Solved: What is the proper way to load a CSV File ?

sanujss · ‎11-25-2013

I have a CSV file which has a header. I want to load this in SPLUNK and want to perform searches using different fields. The file looks like :

TimeStamp, IPAddress, UserName, URL
2013-11-21 16:67:36,221.78.127.76,JADE,www.google.com
2013-10-22 12:55:37,341.78.125.77,JADE,www.rediff.com
2013-09-11 10:21:40,121.78.127.78,JADE,www.youtube.com
2013-08-24 07:11:25,121.78.128.80,JADE,www.ndtv.com

I tried to load it through the UI through : Add Data --> A file or directory of files --> Browsing for the file. Applied the source type CSV. But it is not recognizing the headers or the fields.

What is the proper way to do this ?

royimad · ‎11-25-2013

Extract the fields manually after indexing the file using Fields Extractions. Or you can edit props.conf and transform.conf files.

props.conf
[myfile]
KV_MODE = none
SHOULD_LINEMERGE = false
REPORT-Myfile = Myfile_extractions

transforms.conf
[Myfile_extractions]
DELIM=","
FIELDS=TimeStamp,IPAddress,UserName,URL

View solution in original post

royimad · ‎11-25-2013

Extract the fields manually after indexing the file using Fields Extractions. Or you can edit props.conf and transform.conf files.

props.conf
[myfile]
KV_MODE = none
SHOULD_LINEMERGE = false
REPORT-Myfile = Myfile_extractions

transforms.conf
[Myfile_extractions]
DELIM=","
FIELDS=TimeStamp,IPAddress,UserName,URL

sanujss · ‎11-25-2013

Thank you so much. Let me give a try

royimad · ‎11-25-2013

$SPLUNK_HOME/etc/apps/YOURAPPS/default , it depend on your installation, by default it's /opt/splunk/etc/apps/YOURAPPS/default

sanujss · ‎11-25-2013

Thanks royimad for the quick help. I am a new bee in SPLUNK. I can see lot of props.conf, transforms.conf in locations like system, legacy, apps etc. Which one I need to edit ?

What is the proper way to load a CSV File ?

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!