Knowledge Management
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

how to index a csv file which is not in a correct format

benazir
Explorer
‎12-15-2017 06:28 AM

Hi ,
Here is my scenario,
I have to index the below csv file, where the format looks like this , confused with the props file, kindly need your advice .

"RowID      session_id  ObjName   ProcStartTime             Days          [Duration in milliseconds]                  sql_command             sql_text     wait_info   blocking_session_id    blocked_session_count                  physical_io                  phyiscal_reads            query_plan                  open_tran_count                  percent_complete      start_time"
"15428778 1206          InsertsettlemerchantAll2              2017-12-13 14:02:00.913              00              116                                                (9ms)WRITELOG                           0                                                     8                                                     1                                  2017-12-13 14:02:10.953"
"15428787 1308          InsertPendingTrans     2017-12-13 14:02:10.953              00              46                                  (9ms)WRITELOG                           0                                                     8                                                     1                                  2017-12-13 14:02:10.953"

Each Row id : eg : 15428778 , 15428787 should index as a single event from the log file . is it possible ?

Tags (1)
0 Karma
Reply

woodcock
Esteemed Legend
‎12-16-2017 03:23 PM

Whenever I have trash files, I write a parser in Perl, setup a cron job to look for incoming files, fix them, then write the repaired files to where Splunk is looking for them. Then I have a 2x4 talk with the developers.

0 Karma
Reply

DalJeanis
Legend
‎12-15-2017 12:14 PM

Looks like either it is a physical report, or perhaps a tab delimited file that you have copied from a screen. You need to verify the underlying layout by editing the file in a very basic editor like notepad. Is it tabs between the fields, or a collection of spaces?

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎12-15-2017 11:36 AM

What you have is not a CSV file. Is every row enclosed in quotes? Are the field separated by spaces, tabs, or something else?
I looks like this will be a custom sourcetype.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Introducing Splunk Enterprise 9.2

WATCH HERE! Watch this Tech Talk to learn about the latest features and enhancements shipped in the new Splunk ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...