Why is there a problem parsing empty CSV file whic...

danje57 · ‎02-12-2018

Hi,

I receive log file from my servers.

All files are CSVs.

CSVs which contain header + data are well parsed.
However, CSV which are empty an contain only the header following with nothing are not parsed correctly.

Indeed, when empty file are parsed, Splunk parses the headers of the CSV as data.

This is not the bahavior I want.

When I configure the source, I checked to ignore the first line as the first line is always the header.

Do you have any suggestion?

[csv_ad]
DATETIME_CONFIG =
HEADER_FIELD_LINE_NUMBER = 1
INDEXED_EXTRACTIONS = csv
KV_MODE = none
NO_BINARY_CHECK = true
SHOULD_LINEMERGE = false
category = Structured
description = Comma-separated value format. Set header and other settings in "Delimited Settings"
disabled = false
pulldown_type = true
TIMESTAMP_FIELDS =

adonio · ‎02-14-2018

hello there,

please read here:
http://docs.splunk.com/Documentation/Splunk/6.6.0/Data/Extractfieldsfromfileswithstructureddata#Only...
maybe worthwhile to work with "no headers"
this answer explains it in more detail:
https://answers.splunk.com/answers/5404/best-way-to-define-fields-for-a-csv-with-no-headers.html

hope it helps

Why is there a problem parsing empty CSV file which only contain a header?

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor