Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

while indexing csv with slash and hyphen in the header that is getting modified to underscore

surekhasplunk
Communicator
‎03-29-2018 09:30 AM

Hi,

I have a csv file which i am indexing first and then generating the output.csv file using savedsearches.conf file.

The data is coming properly but there is a problem with headers. The outputlookup file which is getting generated is converting all the forward slashes and hyphen symbols in the header to underscore.

For ex: column header at source csv file - "First/Last Name","Designation","Skill - Level"
getting converted to destination csv file - "First_Last Name","Designation","Skill_Level"

How do get the headers as it is in the output lookup file ?

Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎03-29-2018 12:13 PM

The headers in a CSV are field names. Splunk field names are restricted to letters, digits, and underscores. Splunk automatically converts invalid field name characters to underscores when it encounters them. You can't change that, otherwise you'd have invalid field names in your index(es).

---
If this reply helps you, Karma would be appreciated.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎03-29-2018 12:13 PM

The headers in a CSV are field names. Splunk field names are restricted to letters, digits, and underscores. Splunk automatically converts invalid field name characters to underscores when it encounters them. You can't change that, otherwise you'd have invalid field names in your index(es).

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

surekhasplunk
Communicator
‎04-01-2018 02:37 AM

Thanks @richgalloway for the clarification.
Then is there any way I can rename them after indexing or add alias name, back to the fieldnames with slash so that the dashboards which are already developed to work with inputlookup field names (with slash) doesn't need to be modified any more.

Thanks
Surekha

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎04-01-2018 06:43 AM

Yes, you can rename them. Try ... | rename "First_Last Name" as "First/Last Name", Skill_Level as "Skill - Level" | ... as the last command before outputlookup.

---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

surekhasplunk
Communicator
‎04-05-2018 01:48 AM

Hi @richgalloway,
I have got into another csv file which has # symbol at the beginning of the field names.
So some field names look like this "# Of Employees"
And i have seen after indexing the files and creating the output.csv file i dont get these fields at all.
However am getting the values for those fields.

So can you help me with the rex to create the fields as if i use comma as delimeter then some Name is a field where comma is there inside the name thats getting divided into 2 fields

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎04-05-2018 05:45 AM

The # symbol indicates the beginning of a comment. Avoid using it.
To include a comma in a field put quotation marks around the field.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...