CSV files with scientific notation fields

external_alien_ · ‎07-22-2016

I have a folder monitored by Splunk where CSV files are uploaded and sucked into Splunk. Splunk reads them no sweat and I can work with the data, the only problem is that the numerical values in the CSV files are all in Scientific notation and look for example like “2.7584000000000e+04” instead of simply “27584”. Splunk interprets them as numerical (not string) and I can fix this at search time with a few evals, but I have to do it for every search and was wondering if there's no way to fix this before the CSV files are indexed in Splunk? Say via editing props.conf?

Any help is much appreciated 😃

woodcock · ‎07-22-2016

You can setup your eval statements as calculated fields using the EVAL- syntax here:

http://docs.splunk.com/Documentation/Splunk/6.4.2/Admin/Propsconf

external_alien_ · ‎07-22-2016

But doesn't that mean I have to know all the field names beforehand? Seeing as I have a large number of fields with values in scientific notation this is unfeasible, not to mention that field names may vary 😃
Is it theoretically possible to identify all values that contain say "e+" and rework them as plain decimal?

woodcock · ‎07-22-2016

In that case, you need to create a macro using foreach and then use it whenever you need it. That is the best that you can do. Unfortunately, you cannot make the macro call automatic.

CSV files with scientific notation fields

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk

Routing logs with Splunk OTel Collector for Kubernetes