Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

while indexing csv with slash and hyphen in the header that is getting modified to underscore

surekhasplunk
Communicator
‎03-29-2018 09:30 AM

Hi,

I have a csv file which i am indexing first and then generating the output.csv file using savedsearches.conf file.

The data is coming properly but there is a problem with headers. The outputlookup file which is getting generated is converting all the forward slashes and hyphen symbols in the header to underscore.

For ex: column header at source csv file - "First/Last Name","Designation","Skill - Level"
getting converted to destination csv file - "First_Last Name","Designation","Skill_Level"

How do get the headers as it is in the output lookup file ?

Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎03-29-2018 12:13 PM

The headers in a CSV are field names. Splunk field names are restricted to letters, digits, and underscores. Splunk automatically converts invalid field name characters to underscores when it encounters them. You can't change that, otherwise you'd have invalid field names in your index(es).

---
If this reply helps you, Karma would be appreciated.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎03-29-2018 12:13 PM

The headers in a CSV are field names. Splunk field names are restricted to letters, digits, and underscores. Splunk automatically converts invalid field name characters to underscores when it encounters them. You can't change that, otherwise you'd have invalid field names in your index(es).

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

surekhasplunk
Communicator
‎04-01-2018 02:37 AM

Thanks @richgalloway for the clarification.
Then is there any way I can rename them after indexing or add alias name, back to the fieldnames with slash so that the dashboards which are already developed to work with inputlookup field names (with slash) doesn't need to be modified any more.

Thanks
Surekha

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎04-01-2018 06:43 AM

Yes, you can rename them. Try ... | rename "First_Last Name" as "First/Last Name", Skill_Level as "Skill - Level" | ... as the last command before outputlookup.

---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

surekhasplunk
Communicator
‎04-05-2018 01:48 AM

Hi @richgalloway,
I have got into another csv file which has # symbol at the beginning of the field names.
So some field names look like this "# Of Employees"
And i have seen after indexing the files and creating the output.csv file i dont get these fields at all.
However am getting the values for those fields.

So can you help me with the rex to create the fields as if i use comma as delimeter then some Name is a field where comma is there inside the name thats getting divided into 2 fields

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎04-05-2018 05:45 AM

The # symbol indicates the beginning of a comment. Avoid using it.
To include a comma in a field put quotation marks around the field.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...