Getting Data In

What is the correct parameter in props.conf for csv file ?

willmirko
New Member

Hi all, i'm pretty new here.

I need to assign a name to the fields of a .csv imported file,
but it doesn't work.
In the Props.conf File i'm using these setting:

DATETIME_CONFIG =
INDEXED_EXTRACTIONS = csv
HEADER_MODE = firstline
KV_MODE = none
NO_BINARY_CHECK = true
SHOULD_LINEMERGE = false
category = Structured
description = Comma-separated value format. Set header and other settings in "Delimited Settings"
disabled = false
pulldown_type = true
PREAMBLE_REGEX = ^\tDate
FIELD_NAMES = [ Date, Time, Cl, User Name, Terminal name, TCode, Program, Audit Log Msg Text, Long Text, Proc , WP, Data, Data, Data, Data ]

Can you help me?

thanks
Mirko

0 Karma
1 Solution

twinspop
Influencer

HEADER_MODE? I'm not familiar with it, but the docs show:

  • Determines whether to use the inline ***SPLUNK*** directive to rewrite index-time fields.

I don't think this is what you want. Instead maybe this:

HEADER_FIELD_LINE_NUMBER = <integer>

* Tells Splunk the line number of the line within the file that contains the
  header fields.  If set to 0, Splunk attempts to locate the header fields
  within the file automatically.

And if you use a header line, I don't think you want to list FIELD_NAMES.

Finally, I'd ditch the PREAMBLE_REGEX as well.

View solution in original post

0 Karma

aakwah
Builder

Hello,

The folloiwng configuration worked fine with me:

props.conf

[CSV_Sourcetype]
REPORT-main= delimExtractions
KV_MODE = none
NO_BINARY_CHECK = true
SHOULD_LINEMERGE = false
category = Structured
pulldown_type = true

transforms.conf

[delimExtractions]
DELIMS=","
FIELDS=Number_of_Events,Action_Taken,Endpoint_Name,User_Name

Regards

0 Karma

nkkn87
New Member

Where to find this props.conf and transforms.conf?

0 Karma

nkkn87
New Member

Where to edit this props.conf and transforms.conf?

0 Karma

twinspop
Influencer

HEADER_MODE? I'm not familiar with it, but the docs show:

  • Determines whether to use the inline ***SPLUNK*** directive to rewrite index-time fields.

I don't think this is what you want. Instead maybe this:

HEADER_FIELD_LINE_NUMBER = <integer>

* Tells Splunk the line number of the line within the file that contains the
  header fields.  If set to 0, Splunk attempts to locate the header fields
  within the file automatically.

And if you use a header line, I don't think you want to list FIELD_NAMES.

Finally, I'd ditch the PREAMBLE_REGEX as well.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Try removing the brackets from the FIELD_NAMES line.

---
If this reply helps you, Karma would be appreciated.
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...