Splunk Search

Why fields from CSV are not being extracted?

rbacon
Path Finder

I'm getting data from forwarders that are polling a CSV file. However the fields from the CSV are not being extracted. The file contents look something like: "FieldOne","FieldsTwo","FieldThree","FieldFour".

On the deploy server I have configured an app that gets deployed to all of the indexers and forwarders and the data is indexed into a new sourcetype and a new index. Following are the configurations that are deployed to the indexers and forwarders:

inputs.conf

[monitor://D:\Program Files (x86)\reports\splunk\lists.csv]
disabled = false
followTail = 0
index = lists
sourcetype = lists:reports

props.conf

[source::D:\Program Files (x86)\reports\splunk\lists.csv]

[lists:reports]
FIELD_DELIMITER=,
FIELD_QUOTE = "
DATETIME_CONFIG = CURRENT
INDEXED_EXTRACTIONS = csv
NO_BINARY_CHECK = 1
SHOULD_LINEMERGE = false

I didn't configure a transforms.conf file. Thanks for your help!

0 Karma

Lamar
Splunk Employee
Splunk Employee

I recently had this same problem. The way I fixed it was by removing the FIELD_DELIMITER argument. I don't think it's something that you need since you're already defining what the delimiter is with 'INDEXED_EXTRACTIONS = csv'.

This behavior could be a bug or an intended feature of the configuration. FIELD_DELIMITER, I believe, is designed to allow the use of additional special characters in the event that one of the default INDEXED_EXTRACTIONS values aren't what your data supports.

0 Karma

gschmitz
Path Finder

Unfortunately no.

0 Karma

chris
Motivator

You are on Splunk 6 right (indexers & forwarders)? And there aren't any entries in the learned app that might interfer?

0 Karma

MuS
SplunkTrust
SplunkTrust

Hi rbacon & gschmitz,

I think the problem is your (x86) in the path, which will be handled as regex see the docs about Specify input paths with wild cards.
Try using quotes around the path and / or use this fancy tool http://blogs.splunk.com/?s=christmas to debug.

hope this helps ...

cheers, MuS

0 Karma

gschmitz
Path Finder

Hi,

I think I have the same problem. Did you manage to solve yours?

http://answers.splunk.com/answers/154071/csv-is-not-extracted-at-index-time

0 Karma
Get Updates on the Splunk Community!

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...