I have a comma separated csv file with missing headers. From the props.conf.spec below it has the configuration setting in your props.conf file:
FIELD_NAMES = [ <string>
,..., <string>
]
* Some CSV and structured files might have missing headers. This attribute tells Splunk to specify the header field names directly.
My problem is I have been unable to get this to work. I push this into the props.conf file and when the logs are indexed I cannot find the field names.
Example csv file looks like this:
1,2,3,4,5
6,7,8,9,10
The headers should be a,b,c,d,e, so what should I set FIELD_NAMES equal to?
FIELD_NAMES = [a,b,c,d,e]
or
FIELD_NAMES = ["a","b","c","d","e"]
or
FIELD_NAMES = [<a>
,<b>
,<c>
,<d>
,<e>
]
or
FIELD_NAMES = [<"a">
,<"b">
,<"c">
,<"d">
,<"e">
]
or some other variation? I tried running btool check
on my configurations but it doesn't reject what I have tried.
Here is what you need to have:
Some data in a log file:
place1,41.66164,-87.74477
place2,41.66587,-86.894357
place3,41.72614,-85.97314
inputs.conf - Ensure you set a sourcetype
[monitor:///Users/splunker/Desktop/places.log]
sourcetype=geo
props.conf - Referencing the sourcetype
[geo]
SHOULD_LINEMERGE = false
FIELD_NAMES = location,latitude,longitude
Here is what you need to have:
Some data in a log file:
place1,41.66164,-87.74477
place2,41.66587,-86.894357
place3,41.72614,-85.97314
inputs.conf - Ensure you set a sourcetype
[monitor:///Users/splunker/Desktop/places.log]
sourcetype=geo
props.conf - Referencing the sourcetype
[geo]
SHOULD_LINEMERGE = false
FIELD_NAMES = location,latitude,longitude
Please Accept the answer by selecting the check box next to my answer! Thanks!
Thank you!
My data is not enclosed in brackets, and removing the brackets from FIELD_NAMES did not work. Now I am just adding a field extraction and field transformation post-processing to deal with this issue.
Try removing the brackets:
FIELD_NAMES = "a","b","c","d","e"
Is your data enclosed in brackets?