Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Getting Data In
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Re: How do I add fields to incoming data?
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How do I add fields to incoming data?
raghu0463
Explorer
01-24-2019
06:02 PM
Hi,
I'm trying to load a CSV file using the universal forwarder, and there are no headers in the CSV file. How can I give column names to those values in the file? Can I do that at props.conf? I don't want to use the extract field option...
eg : file.csv as below values
1,2,3,4,5
6,7,8,9,10
11,12,13,14,15
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
nickhills
Ultra Champion
01-25-2019
01:58 AM
if you want to define the stanza by the source file name you can use:
[source::/path/to/file.csv]
FIELD_NAMES = A,B,C,D,E
If my comment helps, please give it a thumbs up!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
renjith_nair
Legend
01-24-2019
07:39 PM
@raghu0463 ,
You can configure them in props.conf
[your sourcetype for csv file]
FIELD_NAMES =field1,field2,.....
---
What goes around comes around. If it helps, hit it with Karma 🙂
What goes around comes around. If it helps, hit it with Karma 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
raghu0463
Explorer
01-24-2019
09:19 PM
how does it identifies from which source and file ? if I just mention only csv
i.e
[csv]
FIELD_NAMES = A,B,C,D,E
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
renjith_nair
Legend
01-24-2019
10:43 PM
@raghu0463 , thats what meant by [your sourcetype for csv file]. You need to set a sourcetype for your file based on the content. Or you can use source/host in the SPEC
Common SPEC
[<spec>]
* This stanza enables properties for a given <spec>.
* A props.conf file can contain multiple stanzas for any number of
different <spec>.
* Follow this stanza name with any number of the following setting/value
pairs, as appropriate for what you want to do.
* If you do not set an setting for a given <spec>, the default is used.
<spec> can be:
1. <sourcetype>, the source type of an event.
2. host::<host>, where <host> is the host, or host-matching pattern, for an
event.
3. source::<source>, where <source> is the source, or source-matching
pattern, for an event.
---
What goes around comes around. If it helps, hit it with Karma 🙂
What goes around comes around. If it helps, hit it with Karma 🙂
Get Updates on the Splunk Community!
Detecting Remote Code Executions With the Splunk Threat Research Team
WATCH NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If exploited, ...
Enter the Splunk Community Dashboard Challenge for Your Chance to Win!
The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...
.conf24 | Session Scheduler is Live!!
.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...
