Solved: Re: CSV file with column named "Index"

apnetmedic · ‎03-24-2016

I've got a CSV file with a column called "Index." Naturally, this is a bit of a problem. Is there a way to deal with this other than making a new sourcetype for it and specifying the header row? I'd rather not do that because:

I actually have about 5 related CSV types with the same issue,
The exact column headers may change subtly between different software loads on the devices uploading them, and
I'm lazy, and this is something I'd only use occasionally. It might be easier for me to just hand-edit or sed the input files to rename the field.

I see a field called extracted_index when these files come in, and it appears to have the original value in it, but I can't seem to use it in a search or eval or stats command like I want to. What's up with that?

woodcock · ‎03-24-2016

I am skeptical of your assertion at the end. You definitely should be able use extracted_index (or extracted_Index?) That's the whole reason that Splunk creates it!

View solution in original post

woodcock · ‎03-24-2016

I am skeptical of your assertion at the end. You definitely should be able use extracted_index (or extracted_Index?) That's the whole reason that Splunk creates it!

apnetmedic · ‎03-24-2016

Ah! Indeed. Victim of my own typo. I had "index" on the brain and thus typed it as such: extracted_index, lowercase. Original field was Index, so it's extracted_Index.

All is right with the world.

CSV file with column named "Index"

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases