- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- How can I parse 2 sets of CSVs in one file?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How could I parse this?
section1String
field1,field2,field3
value1,value2,value3
value1,value2,value3
value1,value2,value3
section2String
field4,field5,field6,field7
value4,value5,value6,value7
value4,value5,value6,value7
value4,value5,value6,value7
The number of value lines is unknown. Please handle 4 cases
a) The header lines are known strings
b) The header lines satisfy a regex
c) The header lines are 1 line below a known string
d) The header lines are 1 line below a string satisfying a regex
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Like this:
| inputcsv TwoInOne.csv | rex "(?<filebreaker>SomRegExHere)" | streamstats current=t count(filebreaker) AS fileID | where fileID=0 outputcsv FirstHalf.csv
| inputcsv TwoInOne.csv | rex "(?<filebreaker>SomRegExHere)" | streamstats current=t count(filebreaker) AS fileID | where fileID=1 outputcsv SecondHalf.csv
| inputcsv FirstHalf.csv | append [|inputcsv SecondHalf.csv]
Note that this approach should work for any number of concatenated files, provided that filebreaker is the same.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Like this:
| inputcsv TwoInOne.csv | rex "(?<filebreaker>SomRegExHere)" | streamstats current=t count(filebreaker) AS fileID | where fileID=0 outputcsv FirstHalf.csv
| inputcsv TwoInOne.csv | rex "(?<filebreaker>SomRegExHere)" | streamstats current=t count(filebreaker) AS fileID | where fileID=1 outputcsv SecondHalf.csv
| inputcsv FirstHalf.csv | append [|inputcsv SecondHalf.csv]
Note that this approach should work for any number of concatenated files, provided that filebreaker is the same.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Like this:
| inputcsv TwoInOne.csv | head 4 | outputcsv FirstHalf.csv
| inputcsv TwoInOne.csv | tail 4 | outputcsv SecondHalf.csv
| inputcsv FirstHalf.csv | append [|inputcsv SecondHalf.csv]
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
your suggestion should work on fixed number of lines. i have edited the question. thx
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The best thing to do is split the file on the outside of splunk.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Are there any line numbers in splunk? Can a splunk search grep for "field[1-3]" and "field[4-7]" and expand a subsearch to "4"?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
There is an internal field called _serial which is a line-number. I will think more about this approach if my other answer does not work (let me know with followup comments).
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
plz see edit1
Join Us for Splunk University and Get Your Bootcamp Game On!
.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!
Announcing Scheduled Export GA for Dashboard Studio
