Splunk Enterprise

Splunk parsing and displaying data: What can I do in my source file to make Splunk show just the "Keys" under Interesting fields and not club them with any of the values?

samsingla
New Member

I am a new user to Splunk Enterprise and have a basic question on how Splunk parses and displays data.

I am feeding a few .csv files (timestamp, kv pair) as my input. I was hoping that Splunk would automatically detect the "key" and show it as a field on the right hand side (under Interesting Fields). And that's what is happening for the most part, but it is also appending a value with _. e.g. One of the fields is ProductType and it can appear as ProductType=abc, or ProductType=cde or ProductType=xyz.

What I have noticed is that if there is only one iteration of ProductType=abc and multiple iterations of other two, Splunk will show "ProductType_abc" under "Interesting Fields". But, when I click on it, it does show all three so I can still sort.

I learned that we can change config files, and also pre-define source fields, but my access is pretty locked down and don't have direct access to config/sys data. Is there anything I can do in my source file that will make Splunk show just the "Keys" under Interesting fields and not club them with any of the values?

0 Karma
1 Solution

DalJeanis
SplunkTrust
SplunkTrust

As described, this may be a problem with your csv layout and/or with ingestion.

Normally, in a csv, the first line establishes the names of the fields. Any odd characters in the column header are cleaned by splunk and replaced by underscores. Thus, if you have a column whose header says ProductType=abc, that field name will be rendered as ProductType_abc. If you are getting a field named that, and the values are ProductType_abc, ProductType_xyz and so on, then what you have is not exactly a csv, but a file with key-value pairs that are separated by commas.

View solution in original post

0 Karma

DalJeanis
SplunkTrust
SplunkTrust

As described, this may be a problem with your csv layout and/or with ingestion.

Normally, in a csv, the first line establishes the names of the fields. Any odd characters in the column header are cleaned by splunk and replaced by underscores. Thus, if you have a column whose header says ProductType=abc, that field name will be rendered as ProductType_abc. If you are getting a field named that, and the values are ProductType_abc, ProductType_xyz and so on, then what you have is not exactly a csv, but a file with key-value pairs that are separated by commas.

0 Karma

samsingla
New Member

Thank you for the answer, it makes sense. I didn't realize that Splunk will look for a csv header even if the data values appear as kv pair. This makes sense now. Is there a recommended extension for a kv pair file (*.txt maybe?).

And I am hoping if I ingest the exact same file as a *.txt, the "keys" will appear on the right hand side as it is (ProductType=abc will appear as ProductType and not ProductType_abc, even if ProductType=abc is in the first line, correct?

0 Karma

DalJeanis
SplunkTrust
SplunkTrust

The first line is a data line, so yes, any ingestion method that tells the system to extract the kv pairs will work. Try using the GUI to ingest the data into a test instance, and let splunk walk you thru the process. You should be able to find the right method pretty quickly.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...