Splunk Search

Why is the field extraction only extracting one value?

dannili
Communicator

Hi all, this is one sample I'm trying to extract in order to visualize them in table. But when I select a sample field 8/2/2018 and name it as date, the extracted fields only has one single value instead of 6 dates as I expected.

Date,Spam Detected,Malware Detected,Phishing Email,ATP Safe Links,ATP Safe Attachments,Total Mail Received
8/2/2018,66456,872,1046,3,6,328550
8/3/2018,99360,317,1593,1,2,370798
8/4/2018,81288,58,826,1,0,136444
8/5/2018,60885,75,625,0,0,109609
8/6/2018,59562,851,1595,0,24,344166
8/7/2018,55283,350,460,2,13,284023

This is my props.config:

[****_security]
INDEXED_EXTRACTIONS = csv
FIELD_DELIMITER=,
 
[source::/log/***/****/****_security_stat.csv/*/*/*]
sourcetype = ****_security

Does anyone know how to solve this problem? Thanks in advance!

0 Karma
1 Solution

493669
Super Champion

try this in props.conf-

[****_security]
SHOULD_LINEMERGE = False
INDEXED_EXTRACTIONS = csv
KV_MODE = none

View solution in original post

0 Karma

493669
Super Champion

try this in props.conf-

[****_security]
SHOULD_LINEMERGE = False
INDEXED_EXTRACTIONS = csv
KV_MODE = none
0 Karma

dannili
Communicator

Hi Thanks for your response. But I just tried, it's still not working.

0 Karma

493669
Super Champion

have you restarted splunk to take these effect...also after restarting next time when you ingest new file it will get applied these changes to new file and it will not affect already indexed files

0 Karma

dannili
Communicator

yes I restarted. So you mean these changes will not affect already ingested data? Then guess this could be the reason

0 Karma

493669
Super Champion

yes it won't affect already ingested data

0 Karma

dannili
Communicator

I think I know why it did not work before, the SHOULD_LINEMERGE needs to be all lowercase? anyway thanks

0 Karma

493669
Super Champion

@dannili not required to be in lowercase ...reference https://docs.splunk.com/Documentation/Splunk/7.1.2/Data/Configureeventlinebreaking

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...