All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Issue with CSV import

paddy3883
Path Finder
‎01-08-2013 08:07 AM

I'm using this app but whenever I import a CSV it seems to lose the values from the last column e.g.

EventValueFilter,Duration,Earliest,Limit

"EVENTA","1000"," ","| head 5 "

"EVENTB","2000"," ","| head 5 "

"EVENTC","3000"," ","| head 5 "

And when i use the app:

| importutil http http://mysite/mycsv.csv

| multikv

| table EventValueFilter, Duration, Earliest, Limit

It returns the values for the first three fields but no values for Limit. If I add an extra dummy value to each row it will return the values for Limit but not for the new column.

Splunk is running on Windows server 2003 R2, version 4.2.3, build 105575.

Screenshot of CSV file

alt text

Screenshot of splunk

alt text

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

nicholasgrabows
Path Finder
‎01-08-2013 11:33 AM

paddy, The scenario you described works for me. I was able to read in and display all fields from a csv file that looks like

EventValueFilter,Duration,Earliest,Limit
"EVENTA","1000"," ","| head 5 "
"EVENTB","2000"," ","| head 5 "
"EVENTC","3000"," ","| head 5 "

I've only tested on a Mac, but it should work for splunk running on unix and windows. What OS are you running on? What version of splunk? Can you send a screen shot of the output you are seeing?

Regarding the map issue. I'm not sure I understand the question. Can you explain in more detail.

View solution in original post

Reply
Solved! Jump to solution

paddy3883
Path Finder
‎01-11-2013 02:02 AM

I've emailed on the details as requested.

0 Karma
Reply
Solved! Jump to solution

nicholasgrabows
Path Finder
‎01-10-2013 10:32 PM

I've tested with a similar file on windows 7 with splunk 4.2.3 and it appears to work. One other question. What version of importutil are you using? 1.0 beta1 (i.e. the latest version)? If not try downloading the latest version and reinstalling. Assuming you are using the latest, can you try executing importutil from the command line:

cd %SPLUNK_HOME%\etc\apps\importutil\bin
%SPLUNK_HOME%\bin\splunk cmd python importutil.py http http://yourhost/your.csv

Email the results to splunk@ngsoft.org. Also, would you mind sending me a copy of the csv file.

0 Karma
Reply
Solved! Jump to solution
Solution

nicholasgrabows
Path Finder
‎01-08-2013 11:33 AM

paddy, The scenario you described works for me. I was able to read in and display all fields from a csv file that looks like

EventValueFilter,Duration,Earliest,Limit
"EVENTA","1000"," ","| head 5 "
"EVENTB","2000"," ","| head 5 "
"EVENTC","3000"," ","| head 5 "

I've only tested on a Mac, but it should work for splunk running on unix and windows. What OS are you running on? What version of splunk? Can you send a screen shot of the output you are seeing?

Regarding the map issue. I'm not sure I understand the question. Can you explain in more detail.

Reply
Solved! Jump to solution

paddy3883
Path Finder
‎01-14-2013 03:02 AM

On the map issue discussed above, when I run a map command after the initial importutl code it doesn't seem to pick up the values. e.g.

| importutil format=splunk http http://mysite/mycsv.csv
| multikv
| table EventValueFilter, Duration, Earliest, Limit
| map [search source=MySource $EventValueFilter$ $Limit$
| stats avg(Timing) as Timing by TransactionName
| where Timing >= $Duration$] maxsearches=99
| fields TransactionName, Timing

It returns 9 rows with no values for either TransactionName or Timing shown. The initial import CSV contains 9 records.

0 Karma
Reply
Solved! Jump to solution

paddy3883
Path Finder
‎01-14-2013 01:32 AM

Thanks for your help on the import issue here

0 Karma
Reply
Solved! Jump to solution

paddy3883
Path Finder
‎01-09-2013 02:39 AM

I've edited my response above for the first issue.

Regarding the map issue, I meant that when I added in an additional value for each row in the CSV and Splunk was pulling out the four values correctly, if I then added the map command above to iterate over each line it didn't seem to evaluate the parameters out. For example, values for both $EventValueFilter$ and $Limit$ were empty for each row. I will get screenshots and add

0 Karma
Reply
Solved! Jump to solution

paddy3883
Path Finder
‎01-08-2013 08:29 AM

Also, when I do add the dummy field to get all the values I need out, I am unable to use this with the map command. e.g.

| map [search source=MySource $EventValueFilter$ $Limit$ | stats avg(Timing) as Timing by TransactionName | where Timing >= $Duration$] maxsearches=99

It fails to bind the values from the CSV file to parameters in the sub-query for the map command.

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...