- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- How to extract the one time header on top of the r...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to extract the one time header on top of the real header.
Hi, I'm new to splunk and would like some help with tackling my task at hand,
-
NO INDEX DATE STIME ETIME REP ACTIVITY RESULT ID TYPE PLACE
17892 4/10/2015 14:13:48 14:14:03 15 CYCLE_REP GOOD NONE ONE_TIME T
Date , Time ,Model ID,SEATPAD ID,OffsetA,OffsetB,SEATPAD Type,Result,Job,
4/10/2015,12:14:06,KC10,1,0.2,-1,101,FAILED,C:\ONE_TIME\Type\NO A.mdb,
4/10/2015,12:14:06,KC2,2,0.3,-0.3,102,GOOD,C:\ONE_TIME\Type\NO A.mdb,
4/10/2015,12:14:06,KC2,3,-0.5,-0.02,103,GOOD,C:\ONE_TIME\Type\NO A.mdb,
4/10/2015,12:14:06,KC90,4,-0.5,-1,104,FAILED,C:\ONE_TIME\Type\NO A.mdb,
4/10/2015,12:14:06,KC90,5,-0.03,-2,105,FAILED,C:\ONE_TIME\Type\NO A.mdb,
4/10/2015,12:14:06,KC10,6,-0.04,-0.6,106,FAILED,C:\ONE_TIME\Type\NO A.mdb,
How do I index the one time header on top of the real header as the sample above? When the CSV file is added to Splunk, only the header, which starts at Date, Time, Model ID.....,Job, is indexed and fields can be extracted. The header on top of that, and the information that comes with it, is ignored. Any help is welcome.
I have tried changing the props.conf, which is indexed at line NO INDEX.. But then, I cannot extract the field properly since the other information doesn't use the same header.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
possible to change the way the csv is designed?
Leave the first 2 rows as it is
cut and paste everything from Date till end of data in excel to the first blank column in row 1 in the csv after the last column with value in row 1. For example cut from date till end of data and paste it in the first row after the PLACE column in row 1?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
that's a good suggestion, but in my case, it is not possible to change the csv file format.
I tried indexing twice, once with the csv as a sourcetype, meaning the data with commas as a delimiter will be extracted into fields, and then again with a custom sourcetype where I will truncate the file to just the upper header and extract the fields. then join the two index when searching, but indexing twice does not seem to be an optimized solution when dealing with a large volume of data.
Any other option?
Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!
They're back! Join the SplunkTrust and MVP at .conf24
Enterprise Security Content Update (ESCU) | New Releases
