I have a comma separated csv file with missing headers. From the props.conf.spec below it has the configuration setting in your props.conf file:
FIELD_NAMES = [ <string> ,..., <string> ]
* Some CSV and structured files might have missing headers. This attribute tells Splunk to specify the header field names directly.
My problem is I have been unable to get this to work. I push this into the props.conf file and when the logs are indexed I cannot find the field names.
Example csv file looks like this:
1,2,3,4,5
6,7,8,9,10
The headers should be a,b,c,d,e, so what should I set FIELD_NAMES equal to?
FIELD_NAMES = [a,b,c,d,e]
or
FIELD_NAMES = ["a","b","c","d","e"]
or
FIELD_NAMES = [ <a> , <b> , <c> , <d> , <e> ]
or
FIELD_NAMES = [ <"a"> , <"b"> , <"c"> , <"d"> , <"e"> ]
or some other variation? I tried running btool check on my configurations but it doesn't reject what I have tried.
... View more